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ABSTRACT 

Despite  the  fact  that  computer  scientists  have  developed  a variety  of  formal  methods  for  proving 
computer  programs  correct,  the  formal  verification  of  a non  trivial  program  is  still  a formidable 
task.  Moreover,  the  notion  of  proof  is  so  Imprecise  in  most  existing  verification  systems,  that  the 
validity  of  the  proofs  generated  is  open  to  question.  With  an  aim  toward  rectifying  these 
problems,  the  research  discussed  in  this  dissertation  attempts  to  accomplish  the  following 
objectives: 

1.  To  develop  a programming  language  which  is  sufficiently  powerful  to  express  many 
Interesting  algorithms  clearly  and  succintly,  yet  simple  enough  to  have  a tractable  formal 
semantic  definition. 

2.  To  completely  specify  both  proof  theoretic  and  model  theoretic  formal  semantics  for  this 
language  using  the  simplest  possible  abstractions. 

3.  To  develop  an  Interactive  program  verification  system  for  the  language  which  automatically 
performs  as  many  of  the  straightforward  steps  in  a verification  as  possible,  [continued  next  page] 
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The  first  part  of  the  dissertation  decribes  the  motivation  for  creating  TYPED  LISP,  a variant  of 
PURE  LISP  including  a flexible  data  type  definition  facility  allowing  the  programmer  to  create 
arbitrary  recursive  types.  It  is  argued  that  a powerful  data  type  definition  facility  not  only 
simplifies  the  task  of  writing  programs,  but  reduces  the  complexity  of  the  complementary  task  of 
verifying  those  programs. 

The  second  part  of  the  thesis  formally  defines  the  semantics  of  TYPED  LISP.  Every  function 
symbol  defined  in  a program  P is  identified  with  a function  symbol  in  a first  order  predicate 
calculus  language  Lp.  Both  a standard  model  Mp  and  a natural  deduction  system  Np  are  defined 
for  the  language  Lp.  In  the  standard  model,  each  function  symbol  is  interpreted  by  the  least  call- 
by-value  fixed-point  of  its  defining  equation.  An  informal  meta-mathematical  proof  of  the 
consistency  of  the  model  Mp  and  the  deductive  system  Np  is  given. 

The  final  part  of  the  dissertation  describes  an  interactive  verification  system  implementing 
the  natural  deduction  system  Np. 

The  verification  system  includes: 

1.  A subgoaler  which  applies  rules  specified  by  the  user  to  reduce  the  proof  of  the  current  goal 
(or  theorem)  to  the  proof  of  one  or  more  subgoals. 

2.  A powerful  simplifier  which  automatically  proves  many  non-trivial  goals  by  utilizing  user- 
supplied  lemmas  as  well  as  the  rules  of  Np. 

'With  a modest  amount  of  user  guidance,  the  verification  system  has  proved  a number  of 
interesting,  non-trivial  theorems  including  the  total  correctness  of  an  algorithm  which  sorts  by 
successive  merging,  the  total  correctness  of  the  McCarthy-Painter  compiler  for  expressions,  the 
termination  of  a unification  algorithm  and  the  equivalence  of  an  iterative  algorithm  and  a 
recursive  algorithm  for  counting  the  leafs  of  a tree.  Several  of  these  proofs  are  included  in  an 
appendix. 

This  thesis  was  submitted  to  the  Department  of  Computer  St  j the  Committee  on 

Graduate  Studies  of  Stanford  University  in  partial  fulfillment  of  the  t . remen  tr  for  the  degree 
of  Doctor  of  Philosophy. 
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CHAPTER  1 
INTRODUCTION 


i.i  Research  Objective 

During  the  past  fifteen  years,  computer  scientists  have  developed  a variety  of  techniques  for 
proving  programs  correct.  Unfortunately,  none  of  these  methods  have  reached  the  stage  where 
they  are  practical  programming  tools.  The  verification  of  typical  production  programs  is  still 
far  beyond  the  capability  of  existing  verification  systems. 

Program  verification  researchers  have  frequently  Ignored  practical  considerations. 
Many  verification  methods  employ  complex,  counter-intuitive  formalisms  which  confuse  most 
computer  scientists  and  totally  mystify  ordinary  programmers.  Proofs  In  these  systems  tend  to 
be  unnatural  and  very  difficult  to  understand.  There  is  little  prospect  that  they  will  ever  be 
widely  used  in  practical  verification  systems.  Still  other  approaches  to  verification  try  to 
reduce  the  correctness  of  a program  to  some  other  logical  problem  better  suited  to 
mechanization  (such  as  the  validity  of  a single  predicate  calculus  formula).  Unfortunately, 
mechanically  “solving"  the  transformed  problem  for  a non-trivlal  program  is  an  unfeasibly 
huge  computation  (infinite  if  the  program  is  incorrect).  Moreover,  the  transformed  problem 
often  is  so  unintelligible  to  the  programmer  that  it  is  virtually  impossible  for  him  to 
solve— even  with  the  aid  of  an  interactive  theorem  prover. 

Another  distressing  trend  in  program  verification  research  has  been  a careless  disregard 
for  firm  logical  foundations.  The  notion  of  proof  Is  so  vaguely  treated  in  many  verification 
systems  that  the  "correctness  proofs"  generated  by  the  systems  are  of  dubious  value.  Proving 
a statement  using  such  a system  provides  little  assurance  that  the  statement  is  true. 
"Verifying"  a program  only  reduces  the  correctness  of  the  program  to  the  correctness  of  the 
verification  system  involved  (including  both  the  methodology  and  the  proof-checking 
programs).  Computer  scientists  have  been  very  lax  in  scrutinizing  proposed  verification 
methods  for  logical  flaws. 

In  the  machine  implementation  of  verification  systems,  there  has  been  far  too  much 
emphasis  placed  on  total  automation.  Most  implemented  verification  systems  are  almost 
completely  automatic,  but  none  of  these  automatic  systems  can  verify  more  that  a very  limited 
set  of  simple  programs.  Despite  Intense  research  efforts,  the  performance  of  theorem  proving 
programs  still  does  not  approach  the  level  required  for  automatic  verification  of  non-trivial 
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programs.  Furthermore,  there  is  no  existing  methodology  which  suggests  that  sufficiently 
powerful  theorem  provers  are  on  the  horizon.  Completely  automatic  verification  fails  to 
exploit  the  programmer’s  intuitive  understanding  of  the  programs  he  creates.  Interactive 
verification  controlled  by  the  programmer  is  a much  more  promising  approach  which  has  not 
received  sufficient  attention  from  research'  in  the  field. 

With  these  criticisms  in  mind,  my  goal  has  been  to  develop  logically  sound,  interactive 
verification  methods  which  show  promise  of  having  practical  applications.  In  order  for  a 
programmer  to  guide  a verifier  through  a proof  of  program  correctness,  he  must  understand 
the  proof  steps  generated  by  the  verifier.  Consequently,  the  formal  system  used  by  an 
interactive  verifier  should  be  as  intuitively  transparent  and  natural  as  possible.  For  this 
reason,  I selected  first  order  predicate  calculus  with  equality  as  the  basis  for  my  formal  system. 
Proofs  in  well-designed  predicate  calculus  natural  deduction  systems  (originally  developed  by 
Gentzen)  closely  correspond  to  their  informal  counterparts.  Furthermore,  first  order  predicate 
calculus  is  a very  well  understood  formal  system  which  has  received  near  universal  acceptance 
among  mathematicians  as  the  appropriate  system  for  formalizing  mathematical  theories. 

Programming  languages  vary  widely  in  their  suitability  for  verification.  Ideally  a 
programming  language  should  permit  the  programmer  to  directly  formalize  the  simplest,  most 
abstract  description  of  the  algorithm  he  wishes  to  implement.  On  the  other  hand  the  language 
should  have  a brief,  tractable  formal  definition  so  that  we  can  be  confident  we  have  correctly 
defined  its  semantics.  Consequently,  I chose  PURE  LISP  as  the  basis  for  my  verification 
system’s  programming  language.  PURE  LISP  is  sufficiently  powerful  to  concisely  express 
many  complex  algorithms,  yet  it  has  a simple  formal  definition.  My  initial  idea  was  to 
develop  a first-order  theory  of  LISP  S-expressions  analogous  to  Peano’s  axioms  for  the 
natural  numbers,  and  then  to  define  the  semantics  of  LISP  programs  by  treating  each  LISP 
function  as  a new  primitive  function  satisfying  its  defining  equation.  In  other  words,  for  each 
function  definition  /(x|,...,xn)  ■ r(x|r..jtn)  in  a LISP  program,  where  r(x|,...,xn)  is  a LISP 
expression,  the  axiom /(xi,...,xn)  - r(x|,..,xn)  is  appended  to  the  theory.  Finally,  I planned  to 
develop  a natural  deduction  system  for  proving  theorems  in  the  theory  and  implement  that 
system  in  an  interactive  verifier. 

1.2  Previous  Work 

To  my  knowledge,  R.  Boyer  and  J Moore  [Boyer  and  Moore  1975;  Moore  1975]  are  the  only 
other  computer  scientists  who  have  pursued  a similar  line  of  research.  Their  objectives, 
however,  were  quite  different  from  mine.  Their  primary  goal  was  to  build  a completely 
automatic  verifier  which  could  prove  as  many  simple  theorems  about  LISP  functions  as 
possible.  To  accomplish  this  objective,  they  defined  the  semantics  of  LISP  using  an  approach 
very  similar  to  my  own.  First,  they  created  a first-order  theory  of  S-expressions  built  from 
the  single  atom  NIL.  Then  they  defined  the  semantics  of  a LISP  program  P containing  only 
total  functions  by  adding  the  axiom  f[x(,  ....  xn)  - r(xj xn)  for  each  function  definition 
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f(x  p ....  xR)  ■ f(X|, xn)  in  P.  Their  verifier  implements  a simple  set  of  proof  rules  derived 
from  these  axioms,  including  rules  which  perform  symbolic  evaluation  and  Induction  on  the 
structure  of  the  data.  A set  of  heuristics  determines  which  rule  is  applied  at  any  given  point 
in  an  attempted  proof. 

The  Boyer-Moore  verifier  can  automatically  prove  a surprisingly  large  number  of 
simple  theorems,  clearly  demonstrating  the  effectiveness  of  structural  induction  and  symbolic 
evaluation  In  program  verification.  As  a special-purpose  automatic  theorem  prover,  Boyer 
and  Moore’s  verifier  is  an  impressive  achievement.  However,  when  judged  as  a PURE  LISP 
verification  system,  their  work  suffers  from  a number  of  shortcomings,  Including  the 
following: 

1 Their  verifier  either  proves  a theorem  totally  mechanically  or  fails  completely— there  Is  no 
provision  for  user  guidance.  Some  very  simple  LISP  theorems  cannot  be  proved  using 
the  Boyer-Moore  verifier.  A typical  example  of  a trivial  theorem  the  Boyer-Moore 
verifier  cannot  prove  Is  the  following  theorem  about  the  standard  LISP  function 
APPEND  [Boyer  19751 

Vx  [APPEND(x,APPEND(x,x))»APPEND(APPEND(x.x).x)] 
where 

APPENDIX, y)  • IF  NULL  x THEN  y ELSE  CONS(CAR(x),APPEND(CDR(x).y)). 

2.  Their  deductive  system  is  not  designed  to  prove  arbitrary  theorems  about  arbitrary 
PURE  LISP  programs.  Their  Induction  rule,  for  example,  is  quite  weak,  being  limited  to 
several  restricted  forms  of  step-wise  induction  on  S-expressions  (binary-trees). 
Consequently,  proofs  requiring  more  general  forms  of  induction  (such  as  the  correctness  of 
a merge  sorting  algorithm  presented  later  in  this  paper)  are  beyond  the  capabilities  of 
their  deductive  system. 

3.  To  simplify  the  process  of  generating  proofs,  Boyer  and  Moore  limit  the  data  domain  of 
their  LISP  subset  to  S-expresslons  constructed  from  the  single  atom  NIL.  Unfortunately, 
theorems  about  LISP  functions  in  this  restricted  domain  are  not  necessarily  true  in  the 
more  general  domain  of  standard  LISP  S-expresslons.  For  example,  the  statement 

Vx[NILTREE(x)-TJ 

where 

NILTREE(x)  ■ NULL(x)  OR 

[NILTREEICAR(x))  AND  NILTREE(CDR(x))] 

is  a theorem  in  Boyer  and  Moore’s  restricted  data  domain  but  obviously  is  not  a theorem 
in  the  domain  of  standard  LISP  S-expressions  (any  S-expression  containing  an  atom 
other  than  NIL  Is  a counterexample). 
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4.  Since  Boyer  and  Moore's  formal  system  assumes  all  user-defined  functions  are  total,  their 
verification  system  only  proves  partial  correctness  (i.e.  if  any  function  in  the  program  P is 
not  total,  any  theorem  proved  about  P may  not  hold).  They  never  defined  the  semantics 
of  partial  functions  or  developed  a method  for  proving  that  a particular  function  is  total. 

In  contrast  to  Boyer  and  Moore,  my  objectives  have  been  to  create  a consistent  formal 
deductive  system  capable  of  proving  all  theorems  of  practical  interest  about  PURE  LISP 
programs,  and  to  develop  an  interactive  verifier  to  help  the  programmer  construct  arbitrary 
proofs  within  this  system.  I have  not  been  interested  in  building  any  heuristics  into  the 
verifier  which  improve  the  automatic  capabilites  of  the  verifier,  but  occasionally  prevent  the 
programmer  from  constructing  the  sequence  of  proof  steps  he  wants. 


I.J  Motivation  for  Creating  TYPED  LISP 

Early  in  my  research,  I discovered  that  informal,  straightforward  proofs  of  simple  theorems 
about  LISP  functions  did  not  translate  directly  into  formal  proofs  in  my  envisioned 
verification  system  In  fact,  the  seemingly  trivial  task  of  formally  stating  many  simple 
theorems  turned  out  to  be  far  more  complicated  than  I anticipated.  Consider  the  ubiquitous 
sample  theorem  which  asserts  that  the  standard  LISP  function  REVERSE  has  the  property 
that  REVERSEeREVERSE  is  the  identity  function.  The  obvious  formal  statement  of  this 
theorem  is: 

Vx[REVERSE(REVERSE(x  ))»*]. 

Unfortunately,  this  formulation  of  the  theorem  is  unsatisfactory,  because  it  is  false  (any  atom 
other  that  NIL  is  a counterexample).  REVERSE  is  well-defined  only  for  S-expressions 
which  represent  linear  lists  using  the  standard  encoding.  In  order  to  correctly  state  the 
theorem,  we  must  define  an  auxiliary  boolean  LISP  function  LLIST  which  is  a characteristic 
function  for  the  subset  of  S-expressions  which  represent  linear  lists.  Using  LLIST,  the 
correct  statement  of  the  theorem  is: 

Vx[LLIST(x)  =>  REVERSE(REVERSE(x))«xJ. 

The  proofs  of  simple  theorems  about  LISP  functions  within  a first  order  theory  of 
S-expressions  are  even  more  cumbersome.  The  most  concise,  natural  description  of  a typical 
LISP  function  is  not  expressed  in  terms  of  how  it  manipulates  S-expressions,  but  in  terms  of 
how  it  operates  on  some  abstract  data  types  which  are  represented  as  S-expressions. 
Unfortunately,  the  only  way  to  describe  LISP  functions  in  a first  order  theory  of 
S-expressions  is  in  terms  of  how  they  affect  S-expressions.  Proofs  which  deal  with  abstract 
type  representations  rather  than  the  abstract  types  themselves  have  two  very  serious 
drawbacks: 


1.3 


Motivation  for  Creating  TYPED  LISP 


Page  5 


1.  Many  proof  steps  must  be  devoted  to  checking  the  correctness  of  code  which  encodes  or 
decodes  the  abstract  types  as  concrete  representations. 

2 Inductive  proofs  must  use  induction  on  the  structure  of  the  representations  rather  than 
the  structure  of  the  abstract  types. 

As  an  illustration,  consider  the  following  trivial  theorem  expressing  a simple  property  of  the 
LISP  function  APPEND  when  applied  to  linear-lists  of  atoms  (henceforth  called  atom-lists): 

Vx  c atom-lists  [APPEND(x.NIL)  • x] 

where: 

APPEND(x.y)  ■ 

IF  NULL(x)  THEN  y ELSE  CONS(CAR(x).APPEND(CDR(x).y)) . 

The  proof  of  this  theorem  is  extremely  easy  In  the  theory  of  atom-lists.  We  merely  apply 
induction  on  the  structure  of  x.  The  base  step,  x-NIL,  is  trivial: 

APPENDS, NIL)  - APPEND(NIL,NIL)  - NIL 

by  symbolic  evaluation.  For  the  induction  step,  we  must  show  that  for  any  atom-list  v,  the 
statement: 

Vu  t atoms  (APPEND(CONS(u,v),NIL)  • CONS(u.v)] 

follows  from  the  induction  hypothesis: 

APPEND(v.NIL)  ■ v . 

Rut.  symbolic  evaluation  reduces: 

Vu  * atoms  [APPEND(CONS(u.v).NIL)  - CONS(u,v)J 
to: 

Vu  « atoms  [CONS(u,APPEND(v.NIL))  • CONS(u.v)] 

which  is  an  immediate  consequence  of  the  induction  hypothesis  and  the  substitution  of  equals 
for  equals.  Q.E.D. 

The  proof  of  the  same  theorem  in  the  theory  of  S-expressions  is  less  straightforward. 
First,  In  order  to  correctly  state  the  theorem  In  terms  of  S-expresslons,  we  must  define  a 
boolean -valued  function  ATOMLIST  which  is  a characteristic  function  for  the  set  of 
S-expressions  which  represent  linear-lists  of  atoms: 
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ATOMLIST(x)  ■ IF  NULL(x)  THEN  T 

ELSE  IF  ATOM(x)  THEN  NIL 

ELSE  ATOM(CAR(x)j  AND  ATOMLIST(CDR(x)) 

Using  this  definition,  the  theorem  can  be  w itten: 

Vx  * S-expressions  [ATOMLIST(x)  3 APPEND(x.NIL)  - x] . 

As  before,  the  proof  of  the  theorem  proceeds  by  induction  on  the  structure  of  x.  The  base 
step,  x c atoms,  splits  into  two  cases:  x>NIL  and  xeNIL.  The  first  case  is  identical  to  the  base 
step  of  the  atom-list  proof.  In  the  second  case,  x«NIL,  symbolic  evaluation  -educes: 

ATOMLIST(x)  ■ T 3 APPEND(x.NIL)  - x 
to. 

NIL-T  a APPEND(x.NlL)  ■ x 

which  is  an  immediate  consequence  of  the  axiom  NILxT.  For  the  induction  step  we  must 
prove  that  for  any  S-expressions  u and  v: 

ATOMLIST<CONS<u,v))  « T a APPEND(CONS(u,v)JsiIL)  • CONS(u,v) 

is  a consequence  of  the  induction  hypotheses: 

ATOMLIST(u)  ■ T = APPEND(u.NIL) . u 
and 

ATOMLIST(v)  ■ T = APPEND(v,NIL)  • v . 

Like  the  base  step,  the  induction  step  has  two  case*  u « atoms  and  u atoms.  In  the  first 
case,  symbolic  evaluation  reduces: 

ATOMLIST(CONS(u,r))  - T 3 APPEND(COL’S(u,v),NIL)  . CONS(u.r) 
to: 

ATOMLIST(v)  • T 3 CONS(u, APPENDS, NIL))  - CONS(u.v) 

which  an  immediate  consequence  of  the  first  induction  hypothesis  and  the  substitution  of 
equals  for  equals.  In  the  remaining  case,  u -«  atoms,  symbolic  evaluation  reduces: 

ATOMLIST(CONS(u.v))  ■ T 3 APPEND(CONS(u,v),NIL)  ■ CONS(u.v) 

to: 


NIL  ■ T s CONS(uAPPENIXvJIIL))  - CONS(u.v) 
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which  is  an  immediate  consequence  of  the  axiom  NIL*T.  Q.E.D. 

It  Is  clear  that  the  proof  using  induction  on  S-expresslons  Is  longer  and  less  transparent 
than  the  proof  using  induction  on  atom-lists.  Since  the  inductive  structure  of  S-expressions 
is  different  from  that  of  atom-lists,  the  S-expresslon  proof  is  forced  to  examine  all  cases  of 
S-expressions  which  do  not  represent  atom-lists  and  prove  that  they  are  not  atom-list 
representations. 

The  auxiliary  function  ATOMLIST  serves  as  a clumsy  mechanism  for  specifying  the 
implicit  data  type  atom-list.  If  we  included  atom-list  as  a distinct,  explicit  data  type  in  our 
programming  language  and  expanded  our  first-order  theory  to  include  atom-lists  as  well  as 
S-expresslons,  the  informal  proof  using  induction  on  atom-lists  could  be  formalized  directly 
in  our  first  order  system.  However,  since  LISP  programs  typically  involve  a wide  variety  of 
abstract  data  types,  simply  adding  a few  extra  data  types  such  as  atom-list  to  LISP  will  not 
eliminate  the  confusion  caused  by  dealing  with  abstract  data  type  representations  rather  than 
the  abstract  types  themselves.  In  fact,  the  more  complex  that  an  abstract  type  is,  the  more 
confusing  that  proofs  involving  its  representations  are  likely  to  be.  Consequently,  I decided 
that  the  best  solution  to  this  problem  is  to  include  a comprehensive  data  type  definition 
facility  in  LISP  and  to  formally  define  the  semantics  of  a program  P by  creating  a first-order 
theory  for  the  particular  data  types  defined  in  P.  The  resulting  language  TYPED  LISP  is 
described  in  the  next  chapter. 
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CHAPTER  2 
TYPED  LISP 


2.1  Informal  Description  of  TYPED  LISP 

TYPED  LISP  combines  a recursive  data  type  definition  facility  (similar  to  those  proposed  by 
McCarthy  [1963]  and  Hoare  [1973])  with  a modified  subset  of  PURE  LISP.  For  the  sake  of 
semantic  simplicity,  TYPED  LISP  does  not  permit  passing  functions  as  parameters  or 
referencing  non-local  variables  (i.e.  dynamic  scoping).  Furthermore,  there  is  no  distinction 
between  equivalent  and  identical  data  values;  there  is  only  one  copy  of  any  data  value.  A 
TYPED  LISP  program  consists  of  a set  of  data  type  and  function  definitions.  As  in  PURE 
LISP,  the  program  is  executed  by  evaluating  some  expression  containing  no  variables  or 
undefined  function  identifiers. 

2.1.1.  Data  Type  Definitions 

The  set  of  primitive  data  objects  in  TYPED  LISP  is  the  set  of  all  capital  identifiers;  {A.  B, 
....  Z,  AA,  AB, AZ,  BA, ....  AAA, ...}.  Data  types  are  simply  sets  constructed  from  this  set  of 
primitive  objects  using  the  rules  described  below.  The  primitive  type  atom  consists  of  all 
primitive  data  objects  except  for  NIL,  ZERO,  TRUE,  and  FALSE.  For  notational 
convenience,  we  let  every  capital  identifier  denote  the  primitive  data  type  consisting  of  that 
identifier,  e g.  NIL  denotes  both  the  data  object  NIL  and  the  data  type  {NIL}.  The  Intended 
meaning  of  a capital  identifier  is  always  clear  from  its  context. 

A data  type  definition  in  TYPED  LISP  has  the  syntax; 

type  type-identifier  m data-type-expression 

where  type-identifier  is  a (lower-case)  identifier  and  a data-type-expression  is  either: 

I.  An  enumeration  listing  a finite  set  of  primitive  data  objects: 

<C1 Cn>’ 
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e.g. 

type  boolean  ■ {TRUE,  FALSE). 

2.  A construction  defining  a set  of  data  objects  which  are  constructed  from  simpler  objects. 
A construction  has  the  syntax 


where  the  constructor  c is  the  type-identifier  being  defined;  j| are  (lower-case) 

identifiers  naming  the  component  selector  functions;  and  Tj, ....  Tn  are  the  types  of  the 
components,  e.g. 

type  pair  m pair(atoml:  atom,  atom2:  atom) 

which  defines  the  data  type  pair  consisting  of  ordered  pairs  of  atoms,  and  creates  the 
constructor  function  pair:  atom  x atom  -*  pair  for  constructing  pairs  from  atoms,  and 
the  selector  functions  atoml,  atom  2 : pair  -*  atom  for  selecting  components  of  a pair. 

5.  A disjoint-union 
TlV  • U7n 

defining  the  data  type  formed  by  the  union  of  the  disjoint  data  types  T j r , eg;. 

type  ext_pair  a NIL  U pair  . 

The  disjointness  of  the  subtypes  T j 7"n  can  easily  be  checked  at  parse-time. 

4.  A recur slve-union 

fi|  U . . . U !>m  U (j  U - . . U e» 

of  the  disjoint  data  types  flj flm  (called  the  base  types),  and  the  construction  types 

defined  by  the  recursive  constructions  cf cn>  Each  recursive  construction  must  have 

at  least  one  component  type  which  contains  the  type  defined  by  the  recursive-union. 
Some  sample  recursive-union  data  type  definitions  are 

type  natnum  ■ ZERO  U suc(pred:  natnum) 
type  tree  ■ atom  U cons(car:  tree,  cdr.  tree) 


2.1.1 


Informal  Description  of  TYPED  LISP 


Page  10 


The  members  of  the  type  natnum  defined  above  are  precisely  ZERO.  suc(ZERO). 
suc(suc((ZERO)),  suc(suc(suc(ZERO))),  ...;  and  the  members  of  type  tree  are  the 
S-expres$ions  constructed  from  the  base  set  of  objects  atom. 

' 

Besides  all  primitive  data  objects  and  the  primitive  data  type  atom,  there  are  several  other 
pre-defined  data  types  in  every  TYPED  LISP  program.  The  universal  type  any  consists  of 
all  data  objects  defined  in  the  program.  AH  the  other  pre-defined  types  can  be  described  in 
terms  of  standard  TYPED  LISP  data  type  definitions  as  shown  below: 

type  boolean  ■ {TRUE,  FALSE) 
type  natnum  ■ ZERO  U suc(pred:  natnum) 
type  minus  ■ minus(abs:  sue) 
type  integer  ■ minus  U natnum  . 

In  contrast  to  PURE  LISP,  the  false  boolean  value  is  denoted  by  the  data  object  FALSE 
rather  than  NIL.  Furthermore,  boolean  functions  must  return  either  TRUE  or  FALSE. 

2.1.2.  Function  Definitions 

TYPED  LISP  function  definitions  have  the  straightforward  syntax 

function  function-name  (pjTj :^n^  " ^ 

where  function-name  is  a (lower-case)  identifier  naming  the  function  being  defined;  py  ...  , 
Pn  are  (lower-case)  identifiers  serving  as  parameters;  Tj,  . . . , T are  the  types  of  the 

corresponding  parameters;  T is  the  type  of  the  range  of  the  function;  and  ( is  a TYPED  LISP 
expression  containing  no  variables  other  than  the  parameters. 

Every  TYPED  LISP  function  is  strict,  l.e.  it  is  undefined  if  any  of  its  arguments  is 
undefined  or  belongs  to  the  wrong  type.  The  only  primitive  or  Implicitly  defined  functions  in 
TYPED  LISP,  other  than  the  constructor  and  selector  functions  corresponding  to  every 
construction  type,  appear  below,  along  with  their  domain  and  range  specifications: 


function 

domain 

range 

equals 

any  x any 

boolean 

e 

any  x any 

boolean 

and 

boolean  x boolean 

boolean 

or 

boolean  x boolean 

boolean 

not 

boolean 

boolean 

L 


! T 


any 


boolean  (for  every  type  T) 
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The  functions  equals,  and,  or,  and  not  all  have  the  obvious  interpretations.  Note  that,  unlike 
their  PURE  LISP  counterparts,  and  and  or  are  call-by-value  functions  (i.e.  they  always 
evaluate  both  of  their  arguments).  The  function  <=  (written  as  an  infix  operator)  tests  whether 
or  not  its  first  argument  is  a proper  substructure  of  its  second  argument.  Hence,  for  any  data 
value  t,  t c t returns  FALSE,  while  ZERO  e suc(ZERO)  returns  TRUE.  For  every  type  T, 
the  function  :T  (written  as  a postfix  operator)  is  simply  the  characteristic  function  for  type  T. 
Given  any  data  object  x,  x: T returns  TRUE  if  x is  a member  of  type  T and  FALSE 
otherwise. 

Every  construction  type  definition  cCtjT  j, . . s :7'n)  implicitly  defines  the  constructor 
function  c mapping  T(  x ...  x Tn  into  type  c and  the  selector  functions  Jj  mapping  type  e 

Into  type  T{,  I - I n.  The  constructor  function  c applied  to  arguments  Xj xfl  of  types 

T | Tn>  respectively,  returns  the  constructed  data  object  e(xj,  . . xn).  Inversely,  each 

selector  function  s(  applied  to  the  data  object  c(x  p . . .,  xR)  returns  x(. 

2.1.3.  Expressions 

Expressions  in  TYPED  LISP  are  limited  to  the  following  forms: 

1.  An  tf-expresslon  with  syntax: 

If  ij  then  e,$e 
where  { j,  {j,  |g  are  expressions. 

2.  A eau-txprtsslon  with  syntax: 

T case  of  ( 

rn«n 

where  T is  any  data  type  which  is  an  enumeration,  disjoint-union,  or  recursive-union  of 
the  types  T, Tn;  and  f (, (n  are  expressions. 

3.  A function-call  of  one  of  the  following  four  forms: 

/«, «„> 

not 

|j  blnary-booltan-operator  (j 
(|  type-operator  T 
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where  / is  a function-name  (including  constructor  and  selector  names);  |j are 

expressions;  binary-boolean-operator  is  either  equals,  nequals,  e,  -c,  and,  or  or, 
type-operator  is  either  : or  ; and  T is  any  data  type. 

4.  A bracketed  expression 

[t] 

where  ( is  an  expression. 

5.  A primitive  data  object  (capital  identifier). 

In  TYPED  LISP,  expressions  are  evaluated  according  to  a very  simple  set  of  rules.  As  in 
nearly  every  language  (e.g.  ALGOL  W)  implementing  conditional  and  case  expressions,  only 
the  index -expression  and  the  selected  alternative  expression  are  evaluated.  Since  all  TYPED 
LISP  functions  are  strict  (except  for  the  conditional  and  case  operators),  all  function 
arguments  are  passed  by  value-including  the  arguments  of  boolean  binary-operators,  not, 
type-operators,  and  all  constructor  and  selector  functions.  In  other  words,  every  argument  of  a 
function-call  is  evaluated  before  the  function-call  itself  is  evaluated.  Each  of  the  operators 
equals,  c,  and  -:T  (for  each  type  T)  simply  denotes  the  primitive  TYPED  LISP  function  of 
the  same  name.  Similarly,  the  operators  nequals,  -*c,  and  -<\T  (for  each  type  T)  denote  the  the 
functions  not  • equals,  not  • e,  and  not  • sT,  respectively. 

Initially,  I enforced  the  following  standard  parse-time  type  checking  rules  in  expressions: 

1.  The  declared  type  of  an  argument  In  a function-call  must  be  a subset  of  the  declared  type 
of  the  corresponding  formal  parameter. 

2.  The  declared  type  of  the  body  of  a function  must  be  a subset  of  the  declared  type  of  the 
function’s  range. 

S.  The  declared  type  of  the  index-expression  in  a case-expression  must  be  a subset  of  the 
type  declared  at  the  head  of  the  case-expression.  Similarly,  the  type  of  the 
index -expression  in  an  if-expression  must  be  a subset  of  the  type  boolean. 

However,  I quickly  discarded  the  idea  when  it  became  apparent  that  such  type  restrictions 
forced  the  programmer  to  write  awkward,  inefficient  code  in  many  cases.  Consider  the 
following  sample  program  defining  the  commonly  used  functions  assoc  and  put  for 
manipulating  LISP  "a-lists". 


type  tree  ■ atom  U Join  (left:  tree,  right:  tree) 

type  pair  a pairfrar.  atom,  val:  tree) 

type  pair.list  ■ NIL  If  consfliead:  pair,  taih  pair.list) 
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type  ext.pair  ■ NIL  U pair 

function  assocfn  atom,  I:  pair_list):  ex  t_  pair  ■ 

Join  case  of  I 
NIL:  K 

cons:  'headfl))  equals  v then  head(l) 

.Is.  » ..ioefv.taiKD) 

function  put(v:  atom,  t:  tree,  I:  pair_list)s  pair.list  ■ 
pair.list  case  of  I 

NIL:  cons(pair(v,t),NIL) 

cons:  if  rar(head(l))  equals  r then  cons(pair(r,t),taiKI)) 
else  cons(head(l),put(v,t,tail(l))) 

Now  assume  we  want  to  use  the  expression  raKassocfvJ))  In  a context  where  I always  contains 
a pair  p with  headfp^v.  The  declared  type  of  assoc  is  ext_pair  which  is  not  a subset  of  the 
domain  of  the  selector  function  val.  Consequently,  the  expression  is  syntactically  Invalid 
according  to  standard  parse-time  type-checking  rules,  even  though  its  meaning  is  clear.  If  we 
insist  on  requiring  the  type  of  an  argument  to  be  a subset  of  the  declared  type  of  the 
corresponding  formal  parameter,  we  must  replace 

vaKassocfvJ)) 

ext.pair  case  assocfvj)  of 

NIL:  som*  value  Indicating  an  error 
pain  vaKassocfvJ)) 

even  though  the  NIL  alternative  of  the  case-expression  can  never  be  executed.  Since 
situations  of  the  this  kind  frequently  occur  in  actual  programming  practice,  I relaxed  the 
parse-time  type  checking  rules  so  that  the  type  of  an  expression  only  has  to  intersect  the  type 
required  by  its  context,  eg.  the  type  of  an  argument  must  intersect  the  type  of  the 
corresponding  formal  parameter.  Of  course,  In  an  actual  TYPED  LISP  Implementation, 
run-time  type  checking  should  be  done  in  all  those  cases  where  standard  parse-time  rules  are 
violated.  If  the  user  formally  proves  that  a certain  run-time  error  can  never  occur,  then  that 
particular  check  can  be  safely  eliminated. 


2.2  Syntax  of  TYPED  LISP 

The  formal  syntax  description  appears  below.  I have  followed  Hoare  and  Wirth’s  syntax 
diagram  notation  as  closely  as  possible  using  the  graphics  characters  available  to  me. 
Non-terminal  symbols  appear  in  standard  type;  terminal  symbols  appear  in  boldface. 
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data-type-definition 


type-identifier 


enumeration 
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constant 
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recursive-union 


function-declaration 


function-name 


function -definition 
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expression 


if-expression 
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factor 


22 


Syntax  of  TYPED  LISP 


Page  19 


function-call 


ex  ecu  tion  -ex  p ression 


expression 


The  syntax  rules  which  are  not  context  free  appear  below: 

1.  The  identifiers  atom,  any,  boolean,  natnum,  sue,  minus,  integer,  and  all 
capital-identifiers  are  pre-defined  type-names  for  every  TYPED  LISP  program  P.  The 
selectors  pred  and  abs  are  implicitly  defined  within  the  constructions  of  sue  and  minus 
[see  Section  2.1.1]. 

2.  An  identifier  employed  as  a constructor,  selector,  type-name,  or  function  name  must  be 
unique.  No  such  identifier  may  be  used  as  a variable.  Furthermore,  the  variables 
declared  within  a particular  function  definition  must  be  distinct. 

3.  The  identifiers  type,  function,  declare,  partial,  if,  then,  else,  case,  of,  and,  or,  not, 
equals,  and  nequals  are  all  reserved;  they  may  not  be  defined  by  the  user  as  type-names, 
selectors,  constructors,  or  function -names. 

4.  Before  an  identifier  appears  In  a data-type-expresslon  as  a type-name  it  must  be  defined 
in  a data-type-definition  as  a type-name  or  constructor— with  two  excentions: 

a.  In  the  definition  of  a recursive  type  T,  the  type-names  used  in  selector-declarations 
may  be  defined  anywhere  in  the  program. 

b.  If  a type-name  T is  defined  by  a data-type-expression  which  is  a construction,  then 
the  constructor  name  must  also  be  T. 

5.  The  type-names  which  appear  as  alternatives  in  a disjoint-union  must  denote  disjoint 
types.  We  defer  the  definition  of  disjoint  type-names  until  the  next  chapter  (Section  2.3.2) 
where  we  will  continually  use  that  definition  in  proofs.  Despite  the  fact  that  the 
definition  for  disjointness  of  type-names  is  given  in  the  chapter  on  semantics,  it  is  really  a 
syntactic  notion.  We  can  easily  check,  to  see  whether  or  not  two  types  are  disjoint  at  parse 
time. 

6.  Every  declared  function  must  eventually  be  defined  by  a function  definition. 
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Furthermore,  the  parameter  lists  in  must  be  identical  in  both  cases. 

7.  A particular  variable  v may  not  appear  within  the  expression  forming  the  body  of  a 
function-definition  unless  it  is  declared  in  the  function-definition. 

8.  The  type-name  T heading  a case  expression  ( must  be  either  be  defined  as  an 
enumeration,  disjoint-union,  or  a recursive-union.  Within  the  case  be  *y  of  fc,  the  case 
alternatives  must  be  in  one-to-one  correspondence  (including  the  same  ordering)  with  the 
subtype  alternatives.  Each  case  alternative  must  begin  with  the  name  of  the  corresponding 
subtype. 

9.  A function-name  may  not  appear  in  a function-call  unless  it  has  already  been  declared  as 
a function-name  in  a function-declaration,  or  as  a constructor  or  selector  in  a 
construction.  In  a function-call,  the  enclosed  list  of  arguments  must  contain  the 
appropriate  number  of  arguments  for  the  particular  function  being  called. 

10.  No  variables  may  appear  in  an  execution-expression. 

2.3  Semantics  of  TYPED  LISP 

Before  defining  the  semantics  of  TYPED  LISP,  we  must  establish  some  notation  for 
distinguishing  between  a symbol  and  what  it  denotes.  In  cases  where  the  distinction  is 
necessary,  we  will  underline  the  symbol  when  talking  about  its  denotation.  On  the  other  hand, 
when  no  confusion  is  possible,  we  will  usually  omit  the  underlining  of  denotations  in  the 
Interests  of  Improved  readability. 

In  this  section,  we  will  define  the  meaning  of  an  arbitrary  TYPED  LISP  program  P by 
using  the  following  approach.  First,  we  will  define  a first-order  predicate  calculus  language 
Lp  (including  equality)  such  that  the  terms  of  Lp  include  all  syntactically  valid  TYPED  LISP 
expressions  given  the  functions  and  data  types  defined  in  P.  Then,  to  define  the  meaning  of 
terms  and  formulas  In  the  language  Lp,  we  will  construct  a standard  structure  Mp  consisting 

of  a data  domain  and  interpretations  for  all  the  constant,  function,  and  predicate  symbols  in 
the  language.  We  will  use  Mp  to  define  the  meaning  of  any  statement  about  P written  in  Lp. 

2.3.1.  Assertion  Language  Syntax 

Before  we  can  define  the  syntax  of  our  assertion  language,  we  must  review  the  standard 
definition  for  a first  order  predicate  calculus  language  including  equality: 

Definition.  Given  a countably  infinite  set  of  variables  V,  a (possibly  empty)  set  of 
constant  symbols  C,  a (possibly  empty)  set  of  n-ary  function  symbols  Fn  for  each  positive 
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integer  n,  and  a (possibly  empty)  set  of  n-ary  predicate  symbob  for  each  poafcfr*  Integer 
n,  we  define  the  corresponding  first  order  language  L (including  equality)  as  fotlowa  The 
terms  of  L are  defined  by  the  inductive  rules: 

a.  Any  variable  v « V is  a term. 

b.  Any  constant  symbol  c c C is  a term. 

c.  If  r j,  ...  tR  are  terms  and  / c Fn  if  is  an  n-ary  function  symbol),  then/(fj,  rn)  is  a 
term. 

The  formulas  of  L are  defined  by  the  rules: 

a.  If  f j and  fg  are  terms,  then  t j-fg  is  a formula. 

b.  If  t j,  ....  fn  are  terms  and  p i ?n{p  is  n-ary  predicate  symbol),  then  p(rp  , tn ) is  a 
formula. 

c.  If  a and  0 are  formulas,  then  (a  a 0)  is  a formula. 

d.  If  a and  0 are  formulas,  then  (a  v /?)  is  a formula. 

e.  If  a and  0 are  formulas,  then  (a  d 0)  is  a formula. 

f.  If  a is  a formula,  then  (-a)  is  a formula. 

g.  If  a is  a formula  and  v « V (t>  is  a variable),  then  (Vu  o)  is  a formula. 

h.  If  a is  a formula  and  v *.  V (v  is  a variable),  then  (3p  «)  is  a formula. 

Given  a TYPED  LISP  program  P,  the  assertion  language  Lp  is  the  first-order  language  with 
the  following  specifications. 

1.  The  variables  of  Lp  are: 

a.  All  identifiers  which  are  not  reserved  or  defined  as  type  names,  constructors,  selectors, 
or  function  names  In  P. 

b.  Subscripted  single  tetter  identifiers,  i.e.  apbj ij,  a^ ij. . . . 

2.  The  constant  symbols  of  Lp  are  «,  A,  B Z,  AA,  AB, ....  AZ AAA, . . . i.e.  all 

valid  TYPED  LISP  constants  plus  w. 

3.  The  function  symbols  of  Lp  are  equals,  e,  not,  or,  and,  is-T  (for  every  type  name  T 
defined  in  P),  T -case  (for  each  type  name  T defined  in  P which  is  a disjoint  or  recursive 
union),  and  all  the  function  names,  selectors,  and  constructors  defined  in  P.  Each  function 
symbol  / in  Lp  takes  exactly  the  same  number  of  arguments  as  its  counterpart  in  P;  hence, 

not  and  is-T  (for  every  type  T defined  in  P)  take  one  argument;  equab  and  c take  two 
arguments;  and  T-case  takes  n+ 1 arguments  where  n is  the  number  of  subtype  alternatives 
in  the  disjoint  union  forming  T. 

4.  There  are  no  predicate  symbols  In  Lp. 

We  will  omit  parentheses  around  formulas  whenever  convenient  In  the  absence  of 
parentheses,  the  precedence  of  connectives  in  decreasing  order  of  binding  power  Is  a,  v,  a. 
All  of  the  binary  connectives  (a,  v,  s)  are  right  associative. 
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To  make  the  syntax  of  Lp  and  TYPED  LISP  consistent,  we  Include  the  following 
abbreviations  in  Lp.  Let  (,  Oj,  a^,  . . . denote  arbitrary  terms,  and  let  T denote  an 
arbitrary  type.  Then: 

1.  not  ( stands  for  not(() 

2.  ( equals  tf/  stands  for  equals((,^) 

3.  ( nequals  4>  stands  for  not(equals((,f)) 

4.  ( c stands  for  c((,|f) 

5.  f "C  4>  stands  for  not(c(|,^)) 

6.  ( : T stands  for  Is-T({) 

7.  ( T stands  for  not(isT({)) 

8.  if  ( then  else  f stands  for  boolean-case^,^) 

9.  T case  { of  T j.’ T^.a^  ...  stands  for  T-cased^tj^ 

(where  T is  defined  as  the  disjoint  union  of  the  types  Tp  T ) 

The  operators  introduced  in  the  above  abbreviations  are  ranked  in  decreasing  order  of 
precedence  in  equivalent  groups  as  follows: 

[T,  -:T}  (for  any  type  T)  a 
{equals,  nequals,  c,  -.c}  * 

{not}  a 
{or}  a 
{and} 

When  the  syntax  of  Lp  is  extended  to  include  the  above  abbreviations,  the  set  of  terms  of  Lp 
includes  all  syntactically  valid  TYPED  LISP  expressions  given  the  declarations  in  P. 

For  notational  convenience,  we  also  introduce  the  following  formula  abbreviations  where  (, 
are  arbitrary  terms  and  a,  fi  are  arbitrary  formulas. 

1.  ( * ^ stands  for  -((  ■ 

2.  a • 0 stands  for  (a  a 0)  a (0  = a) 

3.  $ stands  for  $ - TRUE 

The  new  connective  ■ has  lower  precedence  than  the  other  connectives  (->,  a,  v,  a).  Like  the 
other  binary  connectives,  it  is  right  associative.  Of  the  three  abbreviations  Introduced  above, 
the  last  one  is  by  far  the  most  Important.  Abbreviating  the  formula  (■TRUE  by  the  term  ( 
allows  us  to  treat  boolean  expressions  as  formulas  without  Jeopardizing  the  soundness  of  our 
formal  system.  In  addition,  this  abbreviation  permits  us  to  denote  the  universally  valid 
formula  by  the  boolean  truth  value  TRUE  and  the  the  unsatisfiable  formula  by  the  boolean 
truth  value  FALSE  without  any  loss  of  precision.  Adding  this  abbreviation  to  Lp  does  not 
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make  the  syntax  of  Lp  ambiguous;  a term’s  context  uniquely  determines  whether  or  not  It 
abbreviates  a formula. 

2.3.2.  Assertion  Language  Semantics 

We  will  use  a standard  first  order  definition  of  truth  for  formulas  in  Lp  given  Interpretations 

for  the  constant  symbols  and  function  symbols  [Enderton  1972].  The  formal  definitions 
appear  below. 

Definition.  Given  a first  order  language  L,  a structure  M corresponding  to  L is  a 
quadruple  with  the  following  components: 

1.  A non-empty  set  |M|  called  the  domain  of  M 

2.  For  each  constant  symbol  C in  L,  a member  C of  |M|. 

3 For  each  n-ary  function  symbol  / in  L,  an  n-ary  function  f.  |M|n  -+  |M|. 

4 For  each  n-ary  predicate  symbol  P,  an  n-ary  relation  P c |M|n. 

Definition.  Let  M be  a structure  for  a first-order  language  L including  equality.  An 
interpretation  function  for  M is  any  function  mapping  the  set  of  variables  in  L Into  |M|. 

Definition.  Let  s be  an  Interpretation  function  for  the  structure  M.  Given  M and  s,  the 
meaning  of  any  term  or  formula  y In  L Is  <7,M,s>  where  < > denotes  a translation 
function  that,  given  a structure  M and  an  Interpretation  function  s,  maps  the  formulas  In 

L into  truth  values  (true  or  false)  and  the  terms  of  L into  elements  of  (M(.  We  define  the 

translation  function  < > as  follows: 

1.  For  any  constant  C in  L, 

<C,  M,  s>  « C 

2.  For  any  variable  x in  L, 

x,  M,  s>  ■ s(x). 

3.  For  any  term  in  L that  is  a function  call/COj <*n), 

<Aa\ °n).  M,  s>  - ^«*|,M,s>,  ...,<an,M,s>). 

4.  For  any  atomic  formula  in  L of  the  form  a-0, 

<«-0,  M,  s>  - true  If  <a,M,s>  and  <0,M,s>  are  equal 
- false  otherwise. 

5.  For  any  atomic  formula  In  L of  the  form  P(a  p ....  <*n), 

<P(*y ....  «n),  M,  s>  - true  if  (<*|,M,j>, ....  <an,M,s>)  « P 
- false  otherwise. 

6.  For  any  formula  in  L of  the  form  9 a 

<#  a 4,  M,  s>  - true  If  <#,M,s>  is  true  and  is  true 

- false  otherwise. 

7.  For  any  formula  in  L of  the  form  # v 
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<9  v 4,  M,  s>  - true  if  <0,M,s>  is  true  or  <4,M,s>  is  true 

- false  otherwise. 

8.  For  any  formula  In  L of  the  form  9 ? 4, 

<9  a 4,  M,  s>  - true  if  <#,M,s>  is  false  or  <4M*>  is  true 

- false  otherwise. 

9.  For  any  formula  in  L of  the  form  -9, 

<-#,  M,  s>  - true  if  <9,M,s>  is  false 
- false  otherwise. 

10.  For  any  formula  in  L of  the  form  Vx9, 

<Vx9,  M,  s>  - true  if  <#,M,s>  is  true  for  all  Interpretation  functions  s’  such  that 
s’(y)-s(y)  for  every  variable  y distinct  from  x. 

- false  otherwise. 

1 1.  For  any  formula  in  L of  the  form  3x9, 

<3x9,  M,  s>  - true  If  <0,M,s>  is  true  for  some  interpretation  functions  s’  such  that 
s’(y)-s(y)  for  every  variable  y distinct  from  x. 

- false  otherwise. 

The  translation  of  a term  formula  y corresponds  exactly  to  our  intuitive  understanding  of  the 
meaning  of  y given  that  each  free  variable  v denotes  s(v),  each  constant  symbol  denotes  the 
corresponding  element  In  M,  each  function  symbol  denotes  the  corresponding  function  in  M, 
each  predicate  symbol  denotes  the  corresponding  relation  in  M,  and  the  built-in  equality 
predicate  denotes  the  binary  relation  [(x.x)  | x c |M|}. 

We  will  use  the  following  terminology  concerning  structures  throughout  the  sequel. 

Definition.  We  say  that  a formula  a is  true  in  M for  s if  and  only  if  <y,  M,  s>  - true. 
We  call  M a model  for  a (denoted  M ||-  a)  iff  M satifies  a for  all  interpretation  functions 
s.  If  every  formula  In  a theory  (set  of  formulas)  T in  L Is  ratified  by  M,  then  we  say  that 
M is  a model  for  T (denoted  M |h  T). 

Proofs  of  metatheorems  about  out  formal  system  will  frequently  rely  on  the  following  lemma 
without  specifically  citing  it,  since  it  is  intuitively  obvious: 

Lemma  I..  If  two  interpretation  functions  si  and  s2  are  identical  for  all  the  free  variables 
appearing  In  a formula  or  term  y,  <y,  M,  sl>  is  Identical  to  <y,  M,  s2>. 

Proof.  Immediate  from  the  definition  of  meaning  of  terms  and  formulas. 

i 

Before  constructing  the  structure  corresponding  to  an  arbitrary  TYPED  LISP  program  P,  we 
must  define  the  containment  and  disjointness  relations  on  type  names.  Intuitively,  the 
elementary  or  minimal  types  in  a TYPED  LISP  program  P are  the  primitive  data  objects 
(pre-defined  types  In  every  program)  and  the  constructor  types  defined  in  P.  Every  other  type 
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defined  in  P can  be  uniquely  decomposed  into  a (possibly  infinite)  union  of  these  elementary 
types.  The  disjointness  and  containment  relations  on  type  names  can  easily  be  defined  in 
terms  of  these  decompositions  We  formalize  this  approach  In  the  following  definitions. 

Definition.  A type-name  which  is  a capital-identifier  or  a constructor  is  minimal. 

Definition.  The  normal  form  for  type  name  T defined  in  P (denoted  NF(T))  is  a set  of 
TYPED  LISP  minimal  type-names  defined  inductively  by  the  rules: 

a.  For  any  type  name  C which  is  a capital-identifier:  NF(C)  - {C}. 

b.  For  any  type  name  c which  is  a constructor  defined  in  P:  NF(c)  - (c). 

c.  NF(atom)  - j all  capital-identifiers  except  NIL,  TRUE,  FALSE,  ZERO}. 

d.  N_F(any)  - { all  constructors]  u {all  capital-identifiers }. 

e For  any  type  name  T defined  in  P as  the  union  (enumeration,  disjoint-union,  or 

recursive  union)  of  the  type  names  T j T : 

N F(T)  - NF(T,  )u  . . . u NF(T  ). 

i n 

Definition  Let  U and  V be  any  type  names  defined  in  P.  We  say  that  V contains  V 
(denoted  P < V ) iff  NF(F)  is  a subset  of  NF(U). 

Definition  Two  data  type-names  U and  V are  disjoint  iff  NF(U)  and  NF^)  are  disjoint 
sets 

The  binary  relation  < satisfies  all  the  defining  properties  of  a reflexive  partial  ordering 
except  for  anti-symmetry  (x  < y and  y < x implies  x - y).  Two  type-names  U and  V may  be 

equivalent  without  being  Identical  (i.e  x s y and  y s x,  but  x * y).  In  the  next  section  after 

defining  the  interpretations  for  type-names,  we  will  prove  that  type-name  U s type-name  V 
iff  the  data  type  denoted  by  V is  a subset  of  the  data  type  denoted  by  V.  Furthermore,  we 
will  verify  that  two  type-names  are  disjoint  if  and  only  if  the  data  types  they  denote  are 
disjoint  sets. 

Now  we  are  finally  ready  to  define  the  meaning  of  an  arbitrary  TYPED  LISP 
program.  For  any  TYPED  LISP  program  P,  we  construct  the  standard  structure  Mp  as 
follows: 

I.  The  domain  |Mp|  consists  of  the  following  symbols: 

a.  All  underlined  capital-identifiers,  e.  g.  A,  B Z,  AA,  . . . Each  underlined 

capital-identifier  C belongs  to  every  type  T defined  in  P such  that  C sT  (including  C 
of  course).  Using  alternate  terminology,  C belongs  to  type  T if  and  only  if  C « NF(T). 

b.  The  symbol  w which  does  not  belong  to  any  type. 

c.  For  each  construction  definition  «(*,:  T,,  s ^ T 2 s^.  T ) in  P and  for  any 

symbols  «j,  . . . , <*n  In  |Mp|  of  types  Tj Tn,  respectively,  the  symbol  c(«|,...,a  ) 
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is  also  In  |Mp|  and  belongs  to  every  type  T defined  in  P such  that  c s T (including  c 

of  course).  In  normal  form  terminology,  c(fltj «n>  « |Mp|  belongs  to  type  T If  and 

only  if  c « NF(T). 

2.  Each  constant  symbol  C in  Lp.  is  assigned  the  element  C of  |Mp|. 

3.  Each  n-ary  function  symbol  / In  Lp  is  assigned  an  n-ary  function  £ : |Mp|n  -*  (Mp|  as 
follows: 

2 

a.  We  define  the  functions  equals,  c,  and,  or  : |Mp|  -*  |Mp|  and  not  : |Mp|  -*  |Mp| 
corresponding  to  the  function  symbols  equals,  e,  and,  or,  and  not,  respectively,  by: 

equals(x.y)  - wifx-uory-w 

- TRUE  if  x - y and  x,y  e w 
“ FALSE  otherwise 

e(x,y)  - wifx-wory-w 

- TRUE  if  x textually  occurs  in  and  x »*  jr 

- FALSE  otherwise 

and(x.y)  - w if  x -c  boolean  or  y boolean 

- TRUE  If  x - TRUE  and  y - TRUE 

- FALSE  otherwise 

or(x,y)  ■ « if  x ->«  boolean  or  y -c  boolean 

- TRUE  if  x - TRUE  or  y - TRUE 

- FALSE  otherwise 

not(x)  - w if  x boolean 

- TRUE  If  x - FALSE 

- FALSE  otherwise 

b.  For  each  type  T defined  in  P,  we  define  the  function  l»-T  : |Mp|  -♦  |Mp|  interpreting 
the  function  symbo't  is-T  by. 

is-T(x)  - TRUE  If  x € type  T 

- w If  x - w 

• FALSE  otherwise. 

c.  For  each  type  T defined  In  P as  the  union  (enumeration,  disjoint  union,  or  recursive 
union)  of  the  types  T.,  . . „ Tn>  we  define  the  function  T-case  : |Mp|n+l  -♦  |Mp| 
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interpreting  the  function  symbol  T-case  by: 

T-case(x0 xn)  ■ x}  if  xQ  « TJ(  I i 1 s n, 

- « otherwise. 

d.  For  each  construction  definition  e<5 j.-  T j,  T,, sn:  TJ  in  P,  we  define  the 

functions  e : IMpl"  -*  |Mp|,  and  s{ : |Mp|  -♦  (Mp|  for  i - I,  2. ....  n by: 

<*x , xn)  - c<x , xn>  if  Xj « type  Tj,  1 i I s n, 

- w otherwise. 

jj(x)  - « if  x -c  type  c 

Jj(c(X| xn»  - Xj 

e.  For  each  function  symbol  g explicitly  defined  in  a function  definition  in  P, 

function  g(xy  : Tj *n  : 7^) : T ■ r, 

we  define  the  corresponding  function  g : iMpl"  -♦  |Mp|  by  the  following  process.  First, 

we  create  an  infinite  sequence  of  structures  Afp  - {Mp^  | J • 0,  1, ...}  for  Lp  such  that 

every  member  Mp^  is  identical  to  Mp  except  for  the  interpretations  assigned  to 
explicitly  defined  function  symbols.  Each  explicitly  defined  function  name  g is 
interpreted  in  Mp^  by  the  function  gA.  IMpl"  -*  |Mp|  defined  by: 

^*1 V'<T'  Mp^'1,  s>  if  J > 0 and  Xj  t Tj  for  all  i,  I s I s n, 

■ w otherwise, 

where  and  s is  any  interpretation  function  mapping  Xj  into  xp  I s I s n. 

From  an  intuitive  viewpoint,  gJ  is  simply  the  function  computed  by  evaluating 
g to  function-call  depth  J and  returning  w If  the  computation  is  incomplete. 
Informally,  we  want  to  interpret  g as  the  limit  of  gJ  as  J approaches  «.  Restated  in 
more  precise  terms,  our  goal  is  to  define  g as  the  least  upper  bound  of  the  sequence  G 
- I j ■ 0,  I,  ...  } under  the  usual  partial  ordering  s on  computable  functions.  To 
achieve  this  goal,  we  must  define  the  partial  ordering  e on  functions  and  prove  that 
the  least  upper  bound  of  the  sequence  G exists. 

Definition.  For  any  two  elements  x,y  « |Mpl  we  say  x Is  less  defined  or  equal  to  j 
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(denoted  x e y)  iff  x • w or  x - y.  For  any  two  functions  r,s  : IMpf1  -» |Mp|,  we  say 

r is  less  defined  or  equal  to  s (denoted  r e s)  iff  r(x  j xn)  e s(x  j xn>  for  all 

x(,  . . , xn  « |Mp(  For  any  two  structures  M(,  in  the  sequence  of  structures 
Af  p for  the  program  P,  we  say  that  M ( is  less  defined  or  equal  to  M2  (denoted  M j 
e M2)  iff  the  interpretation  for  every  function  symbol  / in  M j is  less  defined  or 
equal  to  (e)  the  corresponding  Interpretation  in  M2. 

Given  these  definitions,  it  is  a straightforward  task  to  prove  the  following  lemmas 
leading  to  our  main  theorem. 

Lemma  2.  Any  ascending  sequence  of  elements  X - {x(  1 1 - 0,  1, ..}  In  |Mp|  has  a 
least  upper  bound. 

Proof.  The  sequence  is  either  identically  « for  all  I,  or  there  exists  an  integer  k 
such  that  x^  - « for  some  k 2 0.  In  the  former  case,  w obviously  is  a least  upper 

bound.  In  the  latter  case,  x(  - x^  for  all  i 2 k,  since  no  other  element  In  |Mp|  is  2 
Xjp  Consequently,  x^  Is  a least  upper  bound.  Q.E.D. 

Lemma  3.  Any  ascending  sequence  of  functions  {/j  | i - 0,  I,  ..}  in  the  function 
space  (Mpl"  -»  |Mp|  has  a least  upper  bound. 

Proof.  Let  g : IMpl"  - |Mp|  be  defined  by 
g(x ,, ...  xn)  - l.u.b.{/j(x  j xn)  | i - 0,  I, 

We  know  that  l.u.b.{/j(x ..  x„)  | I - 0,  I,  ...  } exists  by  the  previous  lemma, 

implying  that  g is  well-defined.  Furthermore,  by  the  definition  of  the  e relation 
on  functions,  g must  be  the  least  upper  bound  of  the  sequence  of  functions  {/^  I i - 

0,  I, ...},  since  for  any  x|(  ...^n  * |Mpt  g(xJ( .,  xfl)  - l.u.b.{/j(X| x„)  1 1 - 0,  1, 

Q.E.D. 

Lemma  4.  Let  M|  and  M2  be  structures  in  the  sequence  {Mp^  | for  J - 0.  I,  ...} 
such  that  M j e M^  For  any  term  r in  Lp  and  any  interpretation  function  s for 
|Mp|,  <t,  M|,  s>  e <r,  M2,  s>. 

Proof.  By  Induction  on  the  structure  of  t. 

Case  I.  r Is  a constant.  This  case  is  trivial  since  the  Interpretation ' of 
constants  is  identical  in  M j and  M2. 
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Case  2.  r is  a variable.  This  case  is  also  trivial  since  the  interpretation  of  a 
variable  is  entirely  independent  of  the  structure~it  depends  only  on  s. 

Case  3.  r is  a function  call  of  the  form  fir  y ....  rn).  By  the  induction 

hypothesis  <rJP  M|,  s>  e <Tj,  Mg.  s>  for  i - 1, ...,  n. 

Subcase  3a.  / is  case-T  for  some  type  name  T which  is  the  union  of  the 

types  rj(  I - 2 n.  By  the  definition  of  the  sequence  of  structures  Mp,  we  know 

case-T  is  interpreted  by  case-T  in  every  structure  in  the  sequence.  Hence,  for  any 
structure  M in  the  sequence, 

<r,  M,  s>  - case-T(<Tj,  M,  s> <rn>  M,  s>). 

If  <r  |,  M p s>  does  not  belong  to  type  T,  then  <r,  M j,  s>  equals  « and  the  lemma 
holds.  Otherwise,  the  induction  hypothesis  implies  <f  j,  M|,  s>  - <r  p Mg,  s>  « T j 
for  some  i.  As  a result, 

<r,  M j,  s>  * ^r |,  M |,  s>  e Mg,  s>  * , Mg,  s^, 

proving  the  lemma  in  this  subcase. 

Subcase  3b.  / is  not  case-T  for  any  type  name  T.  Consequently,  the 
interpretation  for  / in  every  structure  in  the  sequence  Mp  is  strict.  Let  /j  and  /g 

denote  the  interpretations  for  /in  M|  and  Mg  respectively,  and  let  Tj  x . . . x TR 
be  the  domain  for  / declared  in  P.  If,  for  some  i,  <r(,  Mj,  s>  does  not  belong  to 
Tj,  then 

<T , M |,  s>  “/ 1 | • M |,  s>, ...,  <T^,  M j,  s>)  ■ w 
and  the  lemma  is  obviously  true.  Otherwise,  the  induction  hypothesis  implies  that 
for  all  i, 

<fj,  Mj,  s>  » <Tj,  Mg,  s>  « Tj. 

Since  the  interpretation  for  / in  Mj  is  less  defined  or  equal  to  (e)  the 
corresponding  interpretation  in  Mg,  we  conclude  that 
<f,  M|,  s>  - /j(<r  j,  M j,  s>,  „.,  <f n>  Mj,  s>) 
e /g(<r  |,  Mg,  s>,  — , <rn,  Mg,  s>) 

- <r,  Mg,  s>, 

proving  the  lemma.  Q.E.D. 

Lemma  S.  The  sequence  Mp  - {Mp^  | J - 0,  I, ...}  is  ascending. 

Proof.  We  must  prove  that  Afp^  e Afp^+^  for  J - 0,  I, ...  The  proof  proceeds  by 
induction  on  J.  Since  the  implicitly  defined  function  names  of  P are  interpreted 
identically  In  all  structures  in  the  sequence  Mp,  we  only  need  to  consider  the 
explicitly  defined  function  names  of  P.  Let  g be  an  arbitrary  function  name 
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explicitly  defined  in  P.  For  j - 0,  1 we  must  show  that  gJ  s g^**  given  that 

s MpJ  when  J > 0. 

Base  case.  J • 0.  For  each  explicitly  defined  function  name  g,  g°(x)  - w for 
all  x.  Hence  g°  e g*. 

Induction  step.  Given  the  induction  hypothesis  that  Mp^-1  s MpJ,  we  must 
prove  that  gJ  e g^*.  Let 

function  g(xj  : Tj xn:TtJ:Tm  r’ 

be  the  function  definition  in  P for  g.  By  the  definition  of  the  sequence  of 
structures  Af  p,  the  following  identity  holds  for  k - 1,  2, 

£k(X| xn)  • <f,  Mpk_l,  s>  If  J > 0 and  Xj  t Tj  for  all  i,  1 s 1 s n, 

- « otherwise. 

If,  for  some  I,  x(  does  not  belong  to  type  rjt  we  get: 

^ V ■ “ 

and  the  lemma  holds.  Otherwise, 

xn)  ■ <r,  Mp^"1,  s> 

and 

g^4,(Xj xn)  • <r,  Mp^,  s> 

By  the  induction  hypothesis,  Mp^"1  e Mp!  Consequently,  the  previous  lemma 
(Lemma  5)  Implies  that 

£*(*, xfl)  - <r,  Mp^-1,  s>  e <r,  Mp|  s>  - f^+l(xj xfl) 

proving  the  lemma.  Q.E.D. 

Theorem  I.  For  each  explicitly  defined  function  symbol  g appearing  in  P,  the 
corresponding  sequence  of  functions  G has  the  following  properties: 

a.  G is  an  ascending  sequence  under  the  partial  ordering  s. 

b.  G has  a least  upper  bound. 

Proof  of  a.  Immediate  from  the  previous  lemma. 

Proof  of  b.  Immediate  from  property  a above  and  Lemma  S. 
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From  the  perspective  of  least  fixed-point  semantics,  the  interpretation  in  Mp  for  each 
explicitly  defined  function  symbol  g is  the  least  call-by-value  fixed  point  of  the 
recursion  equation  for  g.  Given  a recursive  definition  for  the  function  /, 
function  /(xj  : Tj xn  : Tn ) iT  mr, 

a call-by-value  fixed-point  of  the  equation  is  any  function  £ which  is  a standard  least 
fixed-point  [see  Milner  1973]  of  the  functional  r*  defined  by: 

r^tfXx , xn)  - if  x T , and  ...  and  xn=  Tn 

then  r evaluated  at  (Xj, ....  xn) 
else  «. 

See  APPENDIX  3 for  a discussion  of  call-by-value  least  fixed  points. 

4.  Since  there  are  no  predicate  symbols  in  Lp,  there  are  no  relations  in  Mp. 

Now  that  we  have  constructed  the  structure  structure  Mp  interpreting  the  function  and 
constant  symbols  of  Lp,  we  can  define  the  meaning  of  formulas  and  terms  in  Lp  in  the 

obvious  way.  The  meaning  of  a formula  or  term  7,  given  some  interpretation  function  $ 
assigning  values  to  the  free  variables  in  y,  is  simply  <7,  Mp,  s>.  If  a formula  y in  Lp  is  true 

for  all  interpretation  functions  s,  then  7 is  a theorem  for  P. 

2 3.3.  The  Semantics  of  Program  Composition 

At  this  point,  it  is  Illuminating  to  examine  how  the  structure  Mp  for  the  program  P changes 
when  we  add  new  function  or  data  type  definitions  to  the  program.  Intuitively,  the  meaning 
of  a TYPED  LISP  data  type  or  function  definition  is  dependent  only  on  the  data  types  or 
functions  used  in  the  definition.  Consequently,  expanding  a program  by  adding  new  data 
type  or  function  definitions  should  not  affect  the  meaning  of  the  data  types  or  functions 
already  defined.  Does  this  property  hold  for  our  formal  definition  of  the  meaning  of  TYPED 
LISP  programs?  The  answer  is  a qualified  yes. 

If  we  create  a new  program  P*  by  adding  some  new  function  definitions  to  the  original 
program  P,  the  interpretations  for  all  of  the  old  function  symbols  are  unchanged  in  the  new 

the  structure  Mp*.  Similarly,  If  we  include  new  type  definitions  in  P , then  all  of  the 

interpretations  for  the  old  function  symbols  are  unchanged  when  we  restrict  them  to  the 
original  domain.  However,  there  are  rare  cases  where  a statement  in  Lp  is  true  in  Mp  but 
false  in  Mp*.  and  vice-versa.  Fortunately,  the  statements  Involved  are  of  no  practical 

importance,  they  are  simply  statements  or  consequences  of  statements  asserting  the  existence  of 
an  object  of  type  any  not  belonging  to  any  other  type  defined  In  P.  Furthermore,  we  can 
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design  our  formal  deductive  system  so  that  the  provable  theorems  of  Lp  are  a subset  of  the 
provable  theorems  of  Lp*  [Statements  which  are  true  for  Mp  but  not  for  Mp*  will  not  be 
provable  from  the  axioms  for  Mp  ] Consequently,  extending  a program  won't  force  us  to 
reprove  the  theorems  we  have  already  proved. 
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CHAPTER  3 

A FORMAL  DEDUCTION  SYSTEM  FOR  TYPED  LISP 


3.1  Introduction 

Although  Section  2.3.2  presents  an  Intuitively  plausible  definition  of  the  meaning  for  any 
statement  In  the  assertion  language  Lp,  we  have  no  systematic  way  to  determine  whether  a 
particular  statement  in  Lp  is  true  or  false.  Unfortunately,  Godel’s  Incompleteness  theorem 
implies  that  there  is  no  effective  procedure  which  will  determine  whether  an  arbitrary 
statement  in  Lp  is  true  or  false  in  Mp,  In  fact,  Godel’s  theorem  implies  the  much  stronger 
result  that  the  true  statements  of  Mp  are  not  recursively  enumerable.  From  the  standpoint  of 
completeness,  the  best  that  we  can  do  is  to  construct  a set  of  axioms  Ap  in  Lp  incorporating 
all  of  the  fundamental  properties  of  Mp  that  we  understand  and  use  standard  first  order 
predicate  calculus  rules  of  Inference  (e.g.  Gentzen’s  Natural  Deduction  Rules)  to  prove 
theorems  from  the  axioms.  In  practice,  the  inherent  incompleteness  of  any  axiomatization 
should  not  be  a very  serious  problem.  If  a programmer  genuinely  understands  the  workings 
of  a program  he  writes,  then  he  should  know  at  least  in  principle  how  to  prove  that  the 
program  is  correct  from  the  basic  properties  of  the  program  data.  Furthermore,  if  our 
first-order  deductive  system  is  constructed  with  care,  virtually  every  such  proof  will  be 
formalizable  in  our  deductive  system. 


3.2  Ap:  An  Axiom  System  for  the  Standard  Model 

We  will  now  construct  a set  of  axioms  Ap  for  Mp.  To  demonstrate  that  Ap  is  really  an 
axiomatization  of  Mp,  we  must  Informally  prove  that  every  axiom  in  Ap  is  true  In  Mp.  In 
the  course  of  these  proofs,  we  will  need  the  following  definitions,  lemmas,  and  theorems: 

Lemma  6.  For  any  types  TyT^T^s  implies  that  type  Tj  is  a subset  of  type  Tn 
Proof.  Immediate  from  the  construction  of  |MpI 


L 


3.2 


Ap:  An  Axiom  System  for  the  Standard  Model 


Page  34 


Definition.  A minima l type  T is  either  a single  element  type  C containing  the  primitive 
object  C,  or  a construction  type. 

Lemma  7.  Any  two  minimal  types  with  distinct  names  are  disjoint. 

Proof.  Immediate  from  the  construction  of  |Mp|. 

Lemma  8.  Every  element  of  |Mp|  except  « belongs  to  a unique  minimal  type. 

Proof.  Every  x c |Mp|  is  either  a primitive  object  or  a constructed  object.  If  x is  some 

primitive  object  C distinct  from  w,  then  x belongs  to  the  minimal  type  C;  otherwise  x is  a 
constructed  object  and  x belongs  to  the  corresponding  contruction  type.  Since  all  minimal 
types  are  disjoint,  no  element  can  belong  to  more  than  one  minimal  type.  Q.E.D. 

Theorem  2.  Every  type  T defined  in  P is  the  union  of  the  types  denoted  by  the  type 
names  in  NF(T). 

Proof.  Let  x be  an  arbitrary  element  of  T,  and  let  T be  the  minimal  type  of  x.  By  the 
construction  of  |Mp|,  x belongs  to  type  T if  and  only  if  the  type  name  T x « NF(T).  Q.E.D. 

Corollary  2.1.  Let  x be  a data  object  in  |Mp|  and  let  T x be  the  minimal  type  of  x.  Then  x 
belongs  to  type  T if  and  only  if  T%  s T. 

Proof.  Immediate. 

Corollary  2.2.  If  the  type  name  T is  defined  in  P as  the  union  (enumeration,  disjoint 
union  or  recursive  union)  of  type  names  T . . .,  7"n  then  for  any  data  object  x,  x belongs 

to  type  T if  and  only  if  x belongs  to  type  7"j  for  some  i,  I i i s n. 

Proof.  By  the  definition  of  type  name  normal  forms,  NF(7")  » NF(Tj)  u . . . u NF(7"n).  Let 
Tx  denote  the  minimal  type  of  x.  By  Corollary  2.2,  x belongs  to  type  T If  and  only  if  the 
type  name  7"x  « NF(T).  But  the  latter  condition  holds  if  and  only  If  T*  * NF(Tj)  for  some 
i,  1 i I s n,  which  by  Corollary  2.2  is  equivalent  to  x c Tj  for  some  i. 

Lemma  9..  Let  {£■*  | j - 0,  I, ...}  be  an  ascending  sequence  of  functions  mapping  IMp”  into 

|Mp|.  Let  {x  | J | J - 0.  I, ...  } {xn^  | J - 0,  I, } be  ascending  sequences  of  elements  in 

|Mpl  Then: 


3.2 


Ap:  An  Axiom  System  for  the  Standard  Model 


Page  35 


l.u.b.  {^x,! xnJ)  | J - 0,  I, ...}  - 

l u.b.  l^l  u b.Jx  ,k  I k - 0,  1, ...} 1.u.b.{xnk  | k - 0,  I. ... })  | j - 0,  I, ...} 

Proof.  Each  ascending  sequence  {XjJ  | J - 0,  I.  ...J,  I £ i £ n,  is  either  identically  u for  all  j, 

or  there  is  some  integer  k{  such  that  XjJ  - z,  e u for  all  j z k,.  If  the  sequence  {x^  1 j - 0, 

1, ...}  is  identically  «.  we  set  kj  to  zero.  Let  k - maxfkj  | I £ i £ n}.  Each  sequence  {x^  | J 
- 0,  I, ...},  I £ 1 £ n,  is  constant  after  the  first  k elements.  Consequently  the  two  sequences: 
ffkxjJ  xnJ)  I J - 0.  I,...} 

and 

^l.u.b.{x,k  | k - 0,  1, ...} I.u.b.{xnk  | k - 0,  1, ... })  | J - 0.  I. ...} 

are  identical  beyond  the  first  k elements  and  have  identical  least  upper  bounds.  Q.E.D. 

Definition.  The  partial  ordering  c on  the  domain  |Mp|  is  defined  by. 
x c y iff  c(x,y)  - TRUE 

Lemma  10.  The  the  partial  ordering  c on  the  domain  |Mp|  is  well-founded  (i.e.  no 
member  of  the  domain  has  more  than  a finite  number  of  predecessors). 

Proof.  Let  i be  any  member  of  |Mp|.  By  the  definition  of  |MpL  z must  be  either  a 
primitive  object  which  has  no  predecessors  or  a finitely  constructed  object.  But  the  only 
predecessors  (under  the  ordering  c)  in  |Mp|  of  a finitely  constructed  object  z are  simply 

the  objects  textually  occurring  in  z.  Obviously,  there  can  only  be  a finite  number  of  such 
objects  (they  all  must  be  objects  created  in  the  process  of  constructing  z).  Q.E.D. 

Theorem  3..  For  any  function  definition  in  P: 
function  fayTy...,  xR:  TJ.  T Q . ( 

and  any  interpretation  function  s for  Lp  which  maps  Xj  into  some  object  in  T{,  I £ i s n: 
<A*, Mp.s>  ™ <{(*|,-,*n)lMp,s> 

Proof.  Let  x(  denote  s(x,),  the  interpretation  of  xJ(  and  let  £ denote  the  Interpretation  of  / 

In  the  structure  Mp!  By  the  construction  of  Mp, 

</(X|, ....  xn),  Mp,  s>  -_^x(, . . .,  xn) 

■ lub.^Xj xn)  | J - 0,  I.  „. }. 
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- I.u.b.{<£  MpJ,  s>  | j - 0,  I, ... }. 

So  to  prove  this  axiom  is  true  in  Mp,  all  we  have  to  do  is  prove  the  following  lemma. 

Lemma  11.  For  any  expression  r in  Lp  and  interpretation  function  s, 

<T,Mp,s>  - l.u.b  {<r,Mp^>  I J - o,  I, ... }. 


Proof.  By  induction  on  the  structure  of  r. 

Base  step:  r is  a constant  C.  This  case  is  trivial  since  C is  interpreted  u C in  Mp 
and  in  Mp|  J i 0. 

Induction  step:  f is  a function  call  of  the  form /(dp  . . .,  «n)  where  f is  a function 

symbol  in  Lp  and  a( «n  are  terms  that  satisfy  the  lemma.  As  before,  let^  denote  the 

interpretation  of  / in  the  structure  Mpl  If  / is  not  explicitly  defined  in  P (defined  by  a 

recursion  equation),  then  we  define^  - £ for  all  J.  By  the  l.u.b.  lemma  (Lemma  9): 
l.u.b.  {<f,  MpJ,  s>  | J - 0,  I, ... ) - l.u.b.  {</(«,, ....  «n),  MpJ,  s>  | J - 0,  I, ... ) 

- l.u.b.  Mpj.  s>, ...,  <an,  MpJ,  s>)  | j - 0,  t,  } 

- l.u.b.  {^Op  ....  Ojj)  | J - 0,  1, ... } 
where  aJ(  I s I s n,  denotes  l.u.b.{<Oj,  Mp\  s>  | k - 0,  I, ...  J. 

Our  induction  hypothesis  states  that  for  1 s 1 s n,  l.u.b.(<a1(  MpJ,  *>  | J - 0, 


<®ji  Mp,  s>. 

Hence  by  the  induction  hypothesis  and  the  construction  of/, 

l-u.b.  <r,  MpJ,  s>  | J - 0,  I, ... } - l.u.b.  {^<«,,  Mp,  s> <«n,  Mp,  *>)  | J 

• $«*,,  Mp,  s>, ...,  Mp,  s>) 

■ </(Oj, ...,  fl^),  Mp,  s> 

- <r,  Mp,  s> 


0,  1, ...  J 


Q.E.D. 

A description  and  Justification  for  each  axiom  in  the  theory  Ap  for  the  structure  Mp  follows. 
Many  of  the  axioms  are  immediate  consequences  of  the  construction  of  |Mp!  In  that  case,  I 
will  simply  state  'immediate*  as  the  Justification. 


1.  Primitive  data  type  axioms. 
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C\*C2 


Justification:  Immediate,  since  C,,  C?  are  Interpreted  by  the  distinct  objects  CJ(  C 2, 
respectively. 


b.  For  every  constant  symbol  C except  «,  NIL.  TRUE,  PALSE,  ZERO: 
C:  atom.  ^ 


( 


Justification:  Immediate,  since  the  only  primitive  objects  in  |Mp|  not  belonging  to 
type  atom  are  NIL,  TRUE,  FALSE,  ZERO,  and  «. 


c.  For  each  constructor  definition  c(»)  where  e is  a constructor  and  9 is  a list  of 
selector-declarations. 

Vx  [x:  c o x-:  atom]. 


Justification:  In  |Mp|  a constructed  object  of  type  c belongs  to  to  type  T if  and  only  if 
c zT.  By  the  definition  of  the  s relation  on  type  names  [See  Section  2.21  c -z  atom. 


d.  For  every  constant  symbol  C except  u (i.e  any  capital-identifier): 
Vx  [x-C  ■ x:CJ. 


Justification:  In  |Mp|  the  only  object  defined  as  an  element  of  type  C (where  C is  any 
capital-lndentifier)  is  C. 


e.  - NIL:  atom 
TRUE:  atom 
FALSE:  atom 
-•  ZERO:  atom 


Justification:  Immediate, 

f.  Vx  [x:any  ■ x»w). 

Justification:  Immediate  from  the  definition  of  |Mp|  and  1 t-T. 


g.  For  every  type  T defined  in  P: 
«*:  T ■ a*. 


Justification:  Immediate  from  the  definition  of  is-T. 
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2.  Union  axioms. 

For  each  data  type  name  TQ  defined  as  a union  (disjoint  union,  enumeration,  or  recursive 

union)  of  the  types  T j,  T 2 7"n: 

Vx[x:T0  . x:rivx:7'2v...vx!rnJ. 

Justification:  Immediate  consequence  of  Corollary  2-2. 

3.  Construction  axioms. 

a.  For  each  construction  definition  c(jj:  T j,  • • , sn:  Fn) 

J.  VXj.Xg.  -iXp  t*j'  T'j  A x2!  A ‘ A xn:  3 ^*|*  *2 xn^*  ^ 

Justification:  Immediate  from  the  definition  of  |Mp|. 

2.  Vy  [y:  c = c(s{(y),  s^y), ....  sn(y))  - yj. 

Justification:  From  the  definition  of  |Mp|,  we  know  that  an  object  y belongs  to 

the  constructor  type  c if  and  only  if  y - c(x,,...,xn)  for  some  Xj xn  c |Mp|. 

Furthermore,  the  definitions  of  the  constructor  and  selector  functions  inlifp  assert 

that  c<X| xR)  - c(x  j,...jcn),  and  S|(c(X|,...,xn))  • x(,  I s I s n.  Consequently, 

y - c(x, x^  - c(x xn)  - c(7,(y),  ...^n(y)),  ~ 

proving  the  desired  result 

3.  Vy  [y:  c s>  sjyY  (for  J - I,  2 n). 

Justification:  Immediate  from  the  construction  of  |Mp|. 

4-  Vx,,x2 xn  [Xjt  Ty  a x2:  T2  a . . . a xn:  Tn  * ij  (efttj.  x2 xj)  - x ,] 

(for  J - 1,2 n). 

Justification:  Immediate  from  the  construction  of  |Mp|. 

b.  For  any  distinct  constructors  Cy,  c ^ 

Vx  [x:  Cy  = x-:  Cj] 
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justification:  Since  C|  and  c ^ are  distinct  minimal  types, 


they  must  be  disjoint  (by  Lemma  7). 

4.  Induction  axiom  schema. 


For  any  formula  0(x)  with  the  single  free  variable  x: 

Vy  [Vx  [x«y  =>  0(x)]  a 0(y)J  » Vi  (/S(i))] 

where  fi( y)  is  an  arbitrary  formula  with  the  single  free  variable  y. 

Justification:  This  axiom  schema  simply  asserts  that  the  induction  principle  holds  for  the 
domain  |Mp|  under  the  partial  ordering  c (at  least  for  statements  expressible  in  Lp).  By 

Lemma  10,  the  partial  ordering  c is  well-founded.  Consequently,  the  rule  is  valid. 

5.  Axioms  for  equals,  not,  or,  and: 

a Vx  [x*u  ■ x equals  x ■ TRUE], 
b Vx.y  [x*y  a x*w  a y«w  ■ x equals  y ■ FALSE], 

c.  Vx  [w  equals  x ■ «]. 

d.  Vx  [x  equals  w ■ wj. 

e.  not  TRUE  > FALSE. 

f.  not  FALSE  ■ TRUE. 

g.  not  «■<•>. 

f.  Vx  (x-»:  boolean  » not(x)  ■ «. 

h.  TRUE  and  TRUE  ■ TRUE. 

i.  TRUE  and  FALSE  ■ FALSE. 

j.  FALSE  and  TRUE  ■ FALSE. 

k.  FALSE  and  FALSE  ■ FALSE. 

l.  Vx  [u  and  x ■ «]. 

m.  Vx  [x  and  u ■ «]. 

n.  Vx.y  (x-’:  boolean  v y-:  boolean  » x and  y ■ «*]. 

o.  TRUE  or  TRUE  ■ TRUE. 

p.  TRUE  or  FALSE  « TRUE. 

q.  FALSE  or  TRUE  - TRUE. 

k.  FALSE  or  FALSE  ■ FALSE. 

l.  Vx  [w  or  x ■ «]. 

m.  Vx  [x  or  w • «]. 

n.  Vx.y  [x-<:  boolean  v y:  boolean  o x and  y ■ **]. 

Justification:  Immediate. 


6.  Axioms  for  e (containment). 
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a.  For  each  construction  definition  «0j:  T j,  sg  T^, . . . , s n:  Tn)-. 

1.  Vy.Xj.Xj xn  [y  - c(xj,  Xj fl)  a y*w  o Xjcy] 

for  J - I,  2, ....  n. 

2.  Vy.Xj.Xj xn  Ky-'CXj  a y*Xj)  a (y-exj  a y«j)  a ...  a (y-«*n  a y*xn) 

= ycc(xj xn)]. 

b.  Vx  [x«w  » x-*cx]. 

c.  Vx, yj  [xcy  a yci  a xcij. 

d.  Vx  [wcx  • w], 

e.  For  any  constant  C other  than  w: 

Vx  [xxw  o x-icCJ. 

Justification:  Immediate  from  the  definition  of  c. 

7.  Axioms  for  case. 

For  each  type  identfier  T defined  in  P as  the  disjoint  or  recursive  union  (including 
enumerations)  of  the  data  types  T j,  7"j and  7^: 

a.  Vy.Xj.Xj....xn  [y:  T,  =>  T case  y of  F,:  x T(.  x,; ....  r„:  xn  - x,] 

for  i - 1.  2, ....  n. 

b.  Vy.x,.Xj„...xn  [-(y:  T)  * T case  y of  F,:  x,; ....  F,:  x(;  „..  Fn : xn  - «] 

Justification:  Immediate  from  the  definition  of  case-F. 

8.  Function  definition  axioms. 

For  each  function  definition 

function /(x(:  F j *n:  Trt  T0*  ^xl xt? 

where  / is  a function  identifier;  Xj xR  are  variables;  Fj,  Fj, . . . , 7"n  are  types;  and 

(<X| xn)  is  an  expression  containing  no  variables  other  than  *j, . . . , xn- 

a.  Vx,.Xj xn  [-(X|J  r,)  v ...  v -’(XjSF||)  =»  /(*j xn)  ■ «]. 

Justification.  This  axiom  asserts  </{X|,...,xn),Mp,s>  equals  w if  s maps  some  x(,  1 s i s n, 
into  some  object  not  belonging  to  type  Fj.  But  this  is  a trivial  consequence  of  the  fact  that 
£ is  undefined  («)  if  any  of  Its  arguments  is  of  the  wrong  type. 

b.  Vxj.Xj.  ****X||  (Xj!  7*j  a ...  a Xj:rn  9 y(Xj, ....  x^)  • ((Xj, ....  x^)}. 


f 


3.2  Ap:  An  Axiom  System  for  the  Standard  Model  Page  41 

Justification:  Immediate  from  Theorem  3. 


3.3  Completeness  of  the  Axiom  System  Ap 

We  have  established  that  Mp  is  a model  for  Ap.  However,  this  fact  is  still  no  assurance  that 
Ap  is  a satisfactory  axlomatization  for  Mp.  Some  important  properties  of  Mp  may  not  be 
specified  by  Ap.  By  the  completeness  theorem  for  first-order  predicate  calculus,  we  know 
that  a formula  a In  Lp  is  provable  from  Ap  if  and  only  If  a is  true  for  all  models  of  Ap. 
Consequently,  examining  other  models  of  Ap  gives  us  some  hints  about  the  completeness  of 
our  axlomatization  of  Mp  (by  Godel’s  incompleteness  theorem,  it  cannot  be  fully  complete). 

First,  let  us  look  at  the  alternate  models  for  Ap  on  the  standard  domain  |Mp|.  Axiom 

group  8 asserts  that  all  explicitly  defined  functions  in  P are  catl-by-value  fixed-points  of 
their  defining  recursion  equations.  Nothing  in  these  axioms  restricts  their  interpretations  to 
the  least  call-by-value  fixed-points.  As  a result,  any  set  of  call-by-value  fixed-points  is  a 
valid  interpretation  for  the  explicitly  defined  function  symbols  of  P. 

For  example,  let  P be  some  TYPED  LISP  program  containing  the  following  function 
definition: 

function  loop(x:  natnum):  natnum  ■ loop(x) 

The  interpretation  for  loop  in  the  standard  model  is  the  everywhere  undefined  function. 
However,  any  function  mapping  {Mp)  into  |Mp|  which  is  undefined  for  non-integers  is  a 

valid  interpretation  for  loop.  Consequently,  we  cannot  prove  anything  about  the  function 
loop  other  than  the  trivial  fact  that  it  is  undefined  for  non-integers. 

In  general,  the  axiom  set  Ap  Is  strong  enough  to  prove  the  totality  of  almost  any  total 

TYPED  LISP  function  (obviously,  we  can’t  escape  the  fundamental  incompleteness  inherent 
In  any  recursively-enumerable  theory  dealing  with  the  termination  of  arbitrary  programs),  it 
cannot  prove  the  non-totality  of  TYPED  LISP  functions  which  are  undefined  for  some 
inputs,  or  that  equivalent  non-total  TYPED  LISP  functions  are  equivalent— except  for  a few 
special  cases.  However,  I do  not  think  this  weakness  of  my  semantics  is  a serious 
disadvantage  in  practice.  Very  few  functions  appearing  In  everyday  programs  have  domains 
which  are  not  recursive  (interpreters  seem  to  be  the  most  prominent  exception).  Consequently, 
if  the  data  type  definition  facility  in  a programming  language  is  powerful  enough  to  define 
any  recursive  set  as  a data  type,  nearly  every  function  encountered  in  practice  can  be  written 
as  a total  function  on  user-defined  data  types.  (TYPED  LISP  currently  does  not  have  this 
power,  but  it  could  easily  be  extended  so  that  it  did.)  Moreover,  in  order  to  handle  the  rare 
cases  where  partial  functions  are  of  practical  significance,  it  is  possible  to  write  recursive 
definitions  for  partial  functions  which  have  unique  call-by-value  fixed-points  (the  trick  is  to 
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create  recursive  functions  which  return  computation  sequences  rather  than  single  values). 
Syntactically  characterizing  important  classes  of  recursive  definitions  which  have  unique 
call-by-value  fixed  points  is  an  interesting  topic  for  further  research. 

The  other  non-standard  models  of  interest  are  those  which  have  domains  which  are 
extensions  of  |Mp|.  While  the  axioms  in  Ap  specify  the  characteristics  of  every  user-defined 
type  of  P in  detail,  they  make  no  restrictions  on  the  objects  belonging  only  to  type  any. 

Consequently,  if  we  extend  the  program  P to  P*  by  adding  some  new  data  type  and  function 
definitions,  the  structure  Mp*  is  a model  for  Ap  if  we  exclude  the  interpretations  for  the  new 
function  symbols  (function  symbols  not  included  in  Lp).  As  a result,  any  provable  theorem 

for  P is  true  for  P*.  Viewed  from  the  perspective  of  proof  theory,  the  same  result  is  even 
easier  to  derive.  For  any  program  P*  that  is  an  extension  of  P,  the  axiom  set  Ap  is  a subset 
of  the  axiom  set  Ap*  (axioms  corresponding  to  a particular  function  or  data  type  definition 
are  generated  independently  of  the  definitions  context).  Hence,  any  theorem  provable  from 
Ap  is  provable  from  Ap*.  Since  Mp*  is  model  for  Ap*,  we  conclude  that  any  provable 

true  for  P*. 


theorem  for  P is 
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CHAPTER  4 

A NATURAL  DEDUCTION  SYSTEM  FOR  TYPED  LISP 


4.1  Introduction 

Since  proving  theorems  In  Lp  using  a standard  first-order  deductive  system  Is  an  exceedingly 
long  and  tedious  task,  I have  developed  a natural  deduction  system  Np  for  proving 
quantifier-free  theorems  in  Lp  from  the  axiom  set  Ap.  Restricting  the  programmer  to 

proving  quantifier-free  theorems  does  not  seem  to  be  a serious  limitation.  The  programmer 
can  convert  any  statement  involving  quantifiers  to  quantifier-free  form  by  using  skotem 
functions,  assuming  he  can  write  TYPED  LISP  definitions  for  the  skolem  functions 
introduced. 

In  the  deduction  system  Np,  proofs  normally  proceed  backwards  from  the  statement  to 
be  proved  (called  a goal)  by  matching  the  goal  with  the  conclusion  of  a rule  reducing  the 
proof  of  the  goal  to  the  proof  of  the  rule’s  premises  (called  subgoals)  which  presumably  are 
easier  to  prove.  Although  Np  is  designed  only  to  prove  quantifier-free  formulas,  we  cannot 
entirely  eliminate  quantifiers  from  Np,  since  quantifiers  are  required  for  the  statement  of 
induction  hypotheses  appearing  in  Np  proofs.  There  are  no  other  exceptions  to  the  ban  on 
quantifiers.  Henceforth,  we  will  refer  to  quantifier-free  formulas  simply  as  formulas. 

For  the  sake  of  simplicity,  let  us  adopt  the  following  notation  for  statements  in  Np.  All 

statements  In  Np  have  the  form  A | fi,  where  fi  is  any  formula  and  A ■ {Oj,  . • • . is  a 
(possibly  empty)  set  of  hypotheses  which  are  formulas  or  induction  hypotheses.  A | fi  is 
simply  a compact  notation  for  the  Lp  formula  *|A  . . . aor  o fi.  Induction  hypotheses  have 
the  form  Vxj„..^n[A  | fi]  where  A | (3  is  a statement.  We  will  use  the  customary  notation  for 
substitution  into  expressions  and  formulas.  Given  the  expression  or  formula  y,  the  variable 
x,  and  the  expression  T;  y*  denotes  the  result  of  substituting  r for  every  free  occurrence  of  x 

in  y.  We  will  use  the  analogous  notation  A*  to  denote  the  result  of  substituting  r for  every 
free  occurrence  of  x in  the  hypothesis  set  A. 


4.1 
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We  define  the  formal  system  Np  for  proving  theorems  A 1 0 as  follows: 

1.  { } | TRUE  is  provable  (i.e.  is  a theorem). 

2.  Any  other  goal  A | fi  Is  provable  in  Np  if  and  only  if  there  is  an  inference  rule  in  Np 

with  conclusion  A | fi  and  premises  A|  | (8j AR  | 0n>  where  the  premises  are 

provable. 

The  proof  system  Np  has  four  classes  of  inference  rules:  expression  simplification  rules, 
formula  simplification  rules,  goal  simplification  rules,  and  general  proof  rules.  While  it  is 
possible  to  derive  every  rule  of  Np  from  the  axiom  set  Ap  and  standard  first-order  predicate 

calculus  deduction,  it  is  a tedious,  uninteresting  task.  I will  follow  the  simpler  course  of 
verifying  the  truth  of  the  rules  for  the  standard  model  Mp  Since  all  of  the  simplification 
rules  (expression,  formula,  and  goal)  follow  immediately  from  the  definition  of  Mp  and  the 

definition  of  truth  for  first-order  languages,  their  justifications  are  omitted.  A description  of 
the  rules  in  each  of  the  four  classes  follows. 

4.2  Expression  Simplification  Rules 

Expression  simplification  rules  have  the  form  B | (j  ■>  where  B ■ (4j fin)  is  a set  of 

formulas,  and  |j,  $2  *re  TYPED  LISP  expressions.  The  rule  B | ■>  (2  means  that  any 

occurrence  of  the  expression  in  a goal  A | y may  be  replaced  by  provided  that  B is  a 

subset  of  A.  Formally,  the  original  goal  A | y is  the  conclusion  of  the  inference  rule  and  the 
transformed  goat  is  the  premise.  The  expression  rules  of  Np  appear  below: 

1.  For  any  expressions  £|,  i> 

M | i ■>  TRUE 
{ } | if  TRUE  then  else  $2  •>  (j 

{}  | if  FALSE  then  else  ■> 

{ ) | if  « then  f j else  $2  ■>  * 

boolean)  | if  f then  ||  else  (2  ■>  w 

2.  For  every  type  T that  is  a type-union  of  subtypes  T j, . . . , Tn;  and  any  expressions  |,  |j, . 
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rl» 

| T case  ( of  Tji 

. . . T : ( 

n 'n 

(for  1 - 1. . 

...  n) 

{<  T } 

| T case  { of  Tj 

!«1 

T.'i. 

■>  u 

(for  1 - |, . 

...  n) 

U 

1 

T case  w of  Tj : 

. . . 

rA  ® 

u 

S.  For  any  expressions  {j.  ^ ^ 

{$!  ■ f2J  I equals  $2  ■>  (j  : any 

{{j  <*  f2)  I $i  $2  ■>  no*  U|  s *ny  and  i any] 

{4/ : boolean}  | ^ equals  TRUE  ■>  4> 

{+  t boolean)  | TRUE  equals  4>  •>  f 

{4>  : boolean)  | + equals  FALSE  ■>  not  [f] 

(V'  : boolean)  | FALSE  equals  ^ •>  not 

f ) I i <=  i •>  not  : any] 

{*!«={<,}  I l2o{,  ■>  FALSE 

{$1  ■ (2)  I (j  <=  $2  ■>  not  [$j : anyj 
{{,  -e  l2J  I l,ct2  •>  FALSE 

4.  For  any  expressions  (,  ^ and  any  types  f,,  such  that  no  data  object  of  type  T j ever 
occurs  structurally  within  an  object  of  type  T 2 (a  property  which  is  easily  determined  from 
the  data  type  definitions): 

UsTj.^sTj)  | ->  FALSE. 

5.  For  every  construction  type  definition  C(Sjt  5fl:  TJ  and  expressions  {j | 

“"1*i K 

«l ! ri <n'r.-VV'"  Vr„l  I 

C({, equals  C(f  ( *n)  ->  (j  equals  and  ...  and  equals 

{C((, {„) : C)  | (jc  C((j (n)  ->  TRUE  (for  I - 1 n) 

6.  For  every  rule  which  rewrites  an  expression  of  the  form  ( equals  there  is  a dual  rule 
with  the  identical  premises  which  rewrites  { nequals  tf/  as  the  opposite  boolean  value. 
Similary,  for  every  rule  rewriting  an  expression  of  the  form  (c(f,  there  Is  a dual  rule 
rewriting  { -e  f . 

7.  For  any  primitive  object  (capital  Identifier)  c,  any  data  type  T,  and  any  expressions  t f : 

{ ) | c : T ■>  TRUE  (when  c is  a member  of  T) 
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{ J | c:T  •>  FALSE  (when  c is  not  a member  of  T) 

{ } | | s c ■>  { equals  c 
{E-:T}  I ->  FALSE 

d'-T)  | t^:T  ■>  FALSE 

{E  : any,  \fr.  any)  | [E  equals  f ] : boolean  ■>  TRUE 
{E  : any,  any}  | [E  nequals  V'J : boolean  ■>  TRUE 
[E  : any,  tfr.  any}  | [E  e f ] : boolean  ■>  TRUE 
: any,  rfr.  any}  | [E  ie  iff] : boolean  ■>  TRUE 
[E  : any}  | [E  : T] : boolean  ■>  TRUE 
[E  : any}  | [E  T ] : boolean  ■>  TRUE 
[E  : boolean,  tfr.  boolean}  | [E  and  if) : boolean  ■>  TRUE 
[E  : boolean,  In  boolean}  | [{  or  4>) : boolean  ■>  TRUE 

(E  : boolean}  | [not  E] : boolean  ■>  TRUE 

8.  For  any  expression  E and  any  types  Ty  T ^ where  Tj  is  a subset  of  type  T^. 

U : 7-,}  | {:r2  ->  TRUE 

9.  For  any  expression  E and  any  disjoint  types  T y T ^ 

(E  ••  Tx}  f (:T2  •>  FALSE 

10.  For  every  construction  type  definition  C(Sj : Jn  : Tn)  and  expressions  Ej En* 

E„  : Tn)  I C(E, E„):C  •>  TRUE 

11.  For  every  rule  which  rewrites  E : T there  is  a dual  rule  with  identical  premises  which 
rewrites  E -•  T as  the  opposite  boolean  value. 

12.  For  any  expressions  E.  and  any  type  T: 

{E  : boolean}  | E and  TRUE  ■>  E 
(E:  boolean}  | TRUE  and  E ■>  E 
[E  : boolean}  | E and  FALSE  ■>  FALSE 
{E  : boolean}  | FALSE  and  E ■>  FALSE 
(E:  boolean}  | E or  TRUE  » TRUE 

(E:  boolean}  | TRUE  or  E ">  TRUE 

(E  : boolean}  | E or  FALSE  ■>  E 

(Et  boolean)  | FALSE  or  E ■>  E 

{ } | not  FALSE  » TRUE 

{ } | not  TRUE  » FALSE 

{ ) | not  [E  and  tff]  ■>  not  [E]  or  not  [f  ] 

{ } | not  [E  or  i>)  ■>  not  [E]  and  not  [f  ] 
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{(  : boolean}  | not  not  [{]  ■>  { 


{ } 

1 

not  [(  equals  t]  *>  { nequals 

{ } 

1 

not  [(  nequals  \f>]  ■>  ( equals 

{ } 

1 

not  [£  c •>  i -c  f 

{} 

1 

not  [{  -c  \fr)  .>  i c f 

{ } 

1 

not  (1:7-]  ■>  { r 

( } 

1 

not  [j  T]  ->  t-.T 

1 3.  For  any  variable  x and  any  expression  { which  does  not  contain  x: 

{x  • {}  | x ■>  { 

14.  For  any  expression  ( and  any  data  object  f (i.e.  a primitive  object  or  a constructed  data 
object) 

U-H  I * ■>  r 

15.  For  every  function  F(including  all  selectors,  constructors,  and  the  operators  equals, 
nequals,  c,  -e,  and,  or,  not,  :T  [for  any  type  T\  and  T [for  any  type  TT)  with  domain 

x ...  x Tn\  and  any  expressions  (n: 

{*j  -«  r,}  | F({, (n)  ->  u (for  i - I n) 

{(j  ■ «}  | F({j fn)  ■>  w (for  i - I n) 


4.3  Formula  Simplification  Rules 

Formula  simplification  rules  closely  resemble  expression  simplification  rules;  the  only 
difference  is  that  they  rewrite  formulas  instead  of  expressions.  A formula  simplification  rule 
has  the  syntax  B | «:j  ■>  ^ where  B is  a set  of  hypotheses,  and  <*|,  are  formulas.  7 ne 

rule  B | ■>  means  that  any  occurrence  of  the  formula  «|  in  a goal  A | y may  be 

replaced  by  a ^ if  B Is  a subset  of  A.  Since  expressions  can  abbreviate  formulas  in  our 

first-order  language,  expressions  denoting  formulas  may  be  rewritten  by  formula  simplication 
rules.  A list  of  the  formula  simplification  rules  in  Np  follows: 

I.  For  any  expressions  (j,  (g: 

{}!«■>  FALSE 

{(|  boolean}  | (j  *>  FALSE 

H I ■>  TRUE 

I *,-*2  •>  TRUE 
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r 


llj-ty  1 

*1"*2 

■> 

FALSE 

rt2-ty  1 

(l-f2 

■> 

FALSE 

«<1  C V 

1 

■> 

FALSE 

U2«=(,} 

1 

■> 

FALSE 

U2  S any) 

1 « ■ t2 

■> 

FALSE 

tf,  t any) 

1 (j«« 

■> 

FALSE 

U 1 

TRUE  i 

■> 

u i l,- 

FALSE 

■> 

not  [{,] 

{}  | TRUE  ■ ->  (, 

{ } | FALSE  • ->  not  [fy 

{ } I equals  $2  ■>  ■ $2  A ^1 ! any 

{ } I nequals  ■>  " $2  A £| : any  A ^2  ! *n^ 

/ 

2.  For  any  expressions  {|,  £2  and  anY  disjoint  types  T | and  T^- 

(2:T2}  | {,.f2  .>  FALSE 

3.  For  every  formula  rule  which  rewrites  a formula  of  the  form  ( - 4>  as  or,  there  is  a dual 
rule  with  the  same  hypotheses  which  rewrites  $ « 4>  as  -a. 

4.  For  every  construction  type  definition  C(Jj:  T{ Sn:  TJ  and  expressions  $ , 

and*l *n: 

tn):C,C(+ , in)-.C]  | 

C^1 („)  * C^l ■>  A ...  A 

5.  For  every  formula  a,  5;  and  every  expression  (,  tfr. 

{«:}  | «c  ■>  TRUE 
{-*)  | * •>  FALSE 


TRUE  a oc 

■> 

•c 

te  a TRUE 

■> 

FALSE  a * 

■> 

FALSE 

*c  a FALSE 

■> 

FALSE 

TRUE  v ec 

■> 

TRUE 

•e  v TRUE 

■> 

TRUE 

FALSE  v « 

■> 

•c 

•e  v FALSE 

■> 

•c 
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{ } 

1 

FALSE  = «c  ■>  TRUE 

{} 

1 

TRUE  = d ■>  o t 

{ } 

1 

* 3 TRUE  ■>  TRUE 

{ } 

1 

•c  ■ TRUE  ■>  u 

{ } 

1 

TRUE  ■ ■>  «c 

{ } 

1 

oc  m FALSE  ■>  -«* 

{ } 

1 

FALSE  ■ *c  ■>  -oi 

{ } 

1 

- TRUE  ■>  FALSE 

{ } 

1 

- FALSE  ■>  TRUE 

{ } 

1 

- ({  ■ f ) *>  { X f 

{ } 

1 

- (t  - 4> ) ■>  ( ■ i 

{(  : boolean)  | -« ( ■>  not  [{ 

{ } 

1 

■>  ->  •>  «t 

{ } 

1 

“■  (oC  A fi)  ■>  -eC  V “'4 

{} 

1 

" (oC  V 4)  ■>  ->«c  A -4 

{ } 

1 

- (<*  =>  4)  ■>  * a -4 

4.4  Coal  Simplification  Rules 

The  goal  simplification  rule  denoted 
A | a ->  B I 0, 

matches  goal  A | and  rewrites  it  as  B | ft.  Formally,  B | 4 is  the  premise  of  the  rule  and  A | 
•c  is  the  conclusion.  The  three  goal  simplification  rules  of  Np  are. 

A U {TRUE}  | 0 -->  A | 0 
A U {FALSE}  | 0 -->  { J | TRUE 
A U {o  a y}  | 0 ->  A U {«.  y)  | 0 

where  A Is  any  hypothesis  set,  and  0,  a,  y are  any  formulas. 


4.5  General  Proof  Rules 

We  will  use  Gentzen’s  notation  to  express  many  of  the  general  proof  rules  of  Np.  His 
notation  for  the  inference  rule  with  conclusion  | 0 and  premises  A|  | An  | />n  is: 

*■  ' <i 

A I « 

The  rules  of  Np  and  their  Justifications  follow: 
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1.  Equality  substitution  rule.  The  following  expression  rewrite  rules  may  be  applied  to  any 
goal  with  a hypothesis  set  including  the  formula 

*1  ">  *2 
*2  m>  *1 

Justification.  Immediate  from  the  definition  of  truth  for  first-order  formulas. 

Although  these  rewrite  rules  resemble  expression  simplification  rules  in  form,  their 
intended  use  is  different.  Simplification  rules  are  designed  so  they  may  be  applied 
universally  as  part  of  a simplification  procedure.  Obviously,  the  rewrite  rules  above  must 
be  applied  selectively. 

2.  Transitivity  of  c rule.  For  any  expressions  ((,  ( s ; any  hypothesis  set  A;  and  any 

formula  0: 

A U {£|c{2’  {2cE3.  I 0 

A U U,c{2>  {2c{s}  | 0 

Justification.  Immediate  from  the  definition  of  the  function  c in  Mp. 

S.  Rule  of  consequence.  For  every  goal  A | 0 and  formula  O: 

A | a,  A U (a)  | 0 
A | 0 

Justification.  Immediate  from  the  definition  of  truth  for  first-order  formulas. 

4.  Hypothesis  deletion  rule.  For  every  goal  A | 0 and  formula  «: 

A | fl 
A U {a}  | 0 

Justification.  Immediate  from  the  definition  of  truth  for  first-order  formulas. 

5.  Replacement  rule.  For  any  expression  f any  type  T,  any  formula  0,  and  any  hypothesis 
set  A such  that  no  variable  in  { is  bound  in  A (i.e.  appears  bound  In  an  induction 
hypothesis)-. 
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A U {x:Tj  | 0,  A | j.T 

A|  I • 

Justification.  Immediate  from  the  definition  of  truth  for  first-order  formulas. 


6.  Type  split  rule.  Let  T be  the  union  of  types  T j T . For  any  hypothesis  set  A,  any 

formula  0,  any  expression  {: 

A u : r,}  | 0 A u {(  : Tn}  | (9.  A | (tf 

A | 0 

Justification.  An  immediate  consequence  of  Corollary  2.2. 

7.  Formula  split  rule.  For  any  formula  a containing  no  free  variables  other  than  those 
appearing  in  the  goal  A | 0 

A U {<*)  | (9.  A U H»)  | g 
A | 0 

Justification.  Immediate  from  the  definition  of  truth  for  first-order  formulas. 

8.  Construction  rule.  For  any  formula  o,  any  hypothesis  set  A,  any  constructor  type  c 

defined  by  the  construction  «<Jj:  7*j Jn:  TJ,  and  any  variables  X! which  do 

not  appear  in  A or  a : 


c(Xj x J *1  1 


I « 


t(x  | xn) 


A U {x  t c|  | « 


Justification.  Immediate  from  the  definition  of  the  constructor  type  c. 

9.  Induction  rule.  Let  A |0  be  any  goal  with  free  variables  Xj xfl  not  occurring  tn  any 

induction  hypotheses  of  A.  Let  r be  any  expression  containing  no  free  variables  other 
than  those  In  A | 0,  and  let  *j «n  be  variables  distinct  from  all  free  variables  in  A | 

0 Then: 


A u { I*}  | 0 


A | 0 
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where  I*  - Vi, t [A^l  'xn  U {fV";xn  c r}  | /Sxr;xn] 

i n z*,...,z  z.  zt,...,z 

in  in  in 

and  A*  - { all  formulas  in  A,  but  not  the  Induction  hypotheses). 


Justification.  This  rule  formalizes  complete  structural  induction  on  the  value  of  the 
expression  r under  the  well-founded  partial  ordering  c.  To  demonstrate  that  thei  rule  is 

valid,  we  fix  the  free  variables  in  the  goal  A | 0.  Let  r*  denote  the  corresponding  value  of 
the  expression  r.  Since  the  partial  ordering  e is  well-founded,  we  may  assume  the 
induction  hypothesis  I asserting  that  the  goal  A | 0 Is  true  for  all  values  of  the  expression 
r c f*  (In  the  base  case  where  no  such  values  of  the  expression  r exist,  the  induction 
hypothesis  is  vacuous.)  Let  Xj,  ....  xm  be  all  the  free  variables  in  the  goal  A | 0 such  that 
Xj xn  do  not  appear  free  in  any  induction  hypotheses,  and  let  Zj zm  be  variables 

distinct  from  the  variables  of  A | 0.  Then  the  goal  augmented  by  the  assumption  I can  be 
formally  expressed: 

A u { I } | 0 


"h"el  - Vs, [A  V;;>  U fr^n,  cr}  | 0V-Xm] 

I m 1 ni  1 m 

The  induction  hypothesis  I*  in  the  rule  above  is  simply  an  instantiation  of  I which 
eliminates  any  nested  Induction  hypotheses  in  I.  If  there  are  no  induction  hypotheses  in  A, 
then  I and  I*  are  identical.  On  the  other  hand,  if  A contains  induction  hypotheses  ijj,  ..., 

i|  , then  the  new  induction  hypothesis  I itself  will  contain  induction  hypotheses  ij’j ij'  , 

corresponding  to  the  induction  hypotheses  n | in  A.  If  we  instantiate  variables 

*n+l’  *m  wh,ch  arc  free  wiihin  «l’j «|’m.  as  *n+j.  •••.  *m.  respectively,  then  the 

instantiations  of  the  inner  induction  hypotheses  f»’| fl’m  are  identical  to  the  induction 

hypotheses  ij. i>m  in  A.  Consequently,  the  instantiated  hypotheses  may  be  eliminated, 

making  the  instantiated  I identical  to  I*. 

10.  Induction  Instantiation  rule.  Let  Vij tpIGUJveji}  | t]  be  an  induction  hypothesis 

in  the  goal  A | 0 where  G ■ (Tj Tj,)!  let  f*|.  • • • . he  expressions  containing  no 

variables  other  than  the  free  variables  of  A | 0;  and  let  y denote  the  formula  T|  a . . . a 
yk  a (r  c fi).  Then: 
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A I AUJ-yJ-^n}  | 0 


n 

A | 0 

Justification.  Immediate  from  the  definition  of  truth  for  first-order  formulas. 

1 1.  Expansion  rule.  Let 

^*l:ri VVr,r(xI *n> 

be  a function-definition  in  P.  Then  for  any  goal  with  a hypothesis  set  containing  the 
formulas  (j:  T j (n=  Tn>  we  have  the  expression  rewrite  rule 

■^1 U B>  T^1 

Justification.  Immediate  from  Theorem  3. 

This  proof  rule  is  identical  in  form  to  an  expression  simplification  rule.  However,  in 
practice  it  must  be  applied  selectively  while  simplification  rules  are  applied  universally. 

12.  Lemma  rule.  A provable  goal  {3, <k)  | y serves  as  a lemma  in  following  rule.  Let  f 

denote  the  formula  lj  a ...  a 1^.  For  any  goal  A | 0: 

A U IT*}  |0.  A | a*.  {«, ak}  I T 


A | 0 

where  y*  and  i*  are  identical  to  y and  4,  respectively,  when  the  free  variables  in  the 
latter  terms  are  replaced  by  a set  of  expressions  containing  no  variables  other  than  the  free 
variables  in  A | 0. 

Justification.  Immediate  from  the  definition  of  truth  for  first-order  formulas. 

The  most  Interesting  feature  of  Np  is  the  power  of  the  Induction  rule.  It  allows  not  only 

complete  induction  on  the  structure  of  any  variable  In  an  assertion,  but  complete  induction  on 
the  structure  of  an  arbitrary  expression.  The  strength  of  this  rule  permits  much  simpler 
correctness  proofs  of  functions  with  complicated  recursive  structure  such  as  a function  which 
sorts  by  successive  merging  (see  Section  5.3). 
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CHAPTER  5 

THE  IMPLEMENTED  VERIFICATION  SYSTEM 


5.1  Introduction 

White  a pure  natural  deduction  system  like  Np  is  a great  improvement  over  standard 

first-order  deduction  systems,  it  is  still  not  a convenient  tool  for  formally  proving  Interesting 
theorems  about  TYPED  LISP  programs.  Proof  of  non-trivial  theorems  are  too  long  and 
complicated  to  be  feasible  without  some  mechanical  assistance.  Consequently,  I have 
developed  TLV,  an  interactive  verification  system  for  TYPED  LISP  (TLV  is  an  acronym  for 
TYPED  LISP  Verifier),  which  helps  the  user  construct  proofs.  My  main  design  goal  in 
creating  TLV,  was  to  automate  as  many  of  the  straightforward  steps  in  a proof  as 
possible— without  letting  the  verifier  get  trapped  in  Infinite  loops  or  enormous  searches  in 
non- trivial  cases.  Consequently,  TLV  requires  programmer  guidance  to  prove  some  theorems 
which  some  other  verifiers  such  as  Boyer  and  Moore’s  can  prove  completely  automatically. 
However,  my  verifier  can  prove  theorems  far  beyond  the  capabilities  of  completely  automatic 
verifiers  with  only  a modest  amount  of  direction  from  the  programmer.  Furthermore,  TLV 
terminates  within  a reasonable  amount  of  time  after  every  user  command. 


5.2  Structure  of  the  Verifier 

The  top-level  of  the  verifier  is  a command  interpreter  which  accepts  instructions  from  the 
user.  To  verify  the  program  the  user  first  instructs  the  verifier  to  read  the  program  from  a 
specified  file.  The  verifier  responds  by  parsing  the  program  and  constructing  a semantic 
representation  (if  the  program  contains  no  syntax  errors)  for  future  use  by  the  verifier.  The 
verifier  also  generates  a set  of  lemmas  (called  syntax  lemmas)  stating  each  function  in  the 
program  not  declared  partial  always  terminates  and  returns  an  object  of  the  proper  type. 
After  the  verifier  has  parsed  the  program,  the  user  types  In  the  theorems  he  wants  to  prove 
and  any  lemmas  he  expects  the  proofs  to  require.  At  this  point,  the  user  is  free  to  attack  the 
proofs  of  theorems  and  lemmas  in  any  order  that  he  wishes.  The  verifier  keeps  track  of  all 
the  dependencies  (lemmas  used  In  the  course  of  a proof)  of  each  lemma  or  theorem  that  he 
proves,  preventing  any  circularity.  When  the  user  attacks  a particular  lemma  or  theorem,  the 
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verification  system  de-activates  any  lemmas  that  depend  on  the  selected  goal.  Furthermore, 
the  user  has  the  option  of  de-activating  any  lemmas  that  would  otherwise  be  applied 
automatically. 

To  prove  a theorem,  the  user  specifies  the  major  steps  in  the  proof,  one  at  a time,  and 
the  verifier  simplifies  the  new  goals  generated  by  each  step,  reducing  many  of  the  new  goals 
to  { } | TRUE.  All  proofs  proceed  backwards  from  the  goal  to  be  proved  by  successively 
replacing  each  new  subgoal  by  a set  of  simpler  subgoals  until  no  subgoals  remain  which  do 
not  simplify  to  the  form  | } | TRUE.  Since  the  verifier  is  completely  interactive,  the  user  has 
the  option  of  backing  up  an  arbitrary  number  of  steps  within  his  current  proof  and  trying  a 
different  sequence  of  proof  steps. 

There  is  a very  close  correspondence  between  the  proof  steps  available  on  the  verifier 
and  the  general  proof  rules  of  Np  The  major  difference  is  that  the  construction  rule  and 
expansion  rule  ate  not  an  available  proof  steps;  they  are  automatically  applied  by  the 
simplifier.  Minor  differences  are  discussed  in  the  TLV  User’s  Manual,  APPENDIX  2. 

The  heart  of  the  verifier  is  a goal  simplifier  which  performs  the  following  functions: 

1 It  reduces  the  current  goal  by  applying  the  simplification  rules  of  Np  and  an  optional 
collection  of  rewrite  rules  (lemmas)  provided  by  the  user. 

2.  It  expands  function  calls  when  either  the  expanded  expression  can  be  simplified,  or  the 
expanded  expression  itself  is  a function-call. 

3.  If  the  hypothesis  v . T appears  in  the  goal,  the  simplifier  applies  the  construction  rule  to 
variable  v. 

Before  the  simplifier  can  apply  a simplification  rule  or  a rewrite  rule,  it  must  verify  that  all 
the  type  constraints  of  the  rule  are  satisfied.  Consequently,  the  simplifier  includes  a type 
evaluator  which  takes  an  expression  y and  determines  the  smallest  type  containing  y given 
the  goal  hypotheses,  syntax  lemmas,  and  type  rules  (lemmas)  provided  by  the  user. 

User-provided  rules  can  have  one  of  the  following  forms: 

1.  A V)  A*  ) {j  ■>  ^ (an  expression  rewrite  rule)  where  all  the  the  free  variables  in  A U 
occur  In  A*  U {tj}. 

2.  A U A*  | ■>  (a  formula  rewrite  rule)  where  all  the  the  free  variables  In  A U 10^) 

occur  in  A*  U {0j). 

3.  A U A*  | { :T  (a  type  rule)  where  all  the  free  variables  in  A occur  in  A*  U {(}. 

Formally,  user-specified  rules  are  simply  statements  in  Np  employed  as  lemmas.  The  symbol 

">"  has  rto  logical  significance;  It  Is  only  syntactic  "sugar"  making  the  directionality  of  the 
statements  as  rewrite  rules  clear. 
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The  simplifier  attempts  to  apply  a particular  expression  or  formula  rewrite  rule  by 
performing  the  following  pattern-matching  procedure. 

1.  It  tries  to  match  the  left  hand  side  of  the  rule’s  conclusion  against  an  expression  or 
formula  y in  the  current  goal.  In  order  for  the  match  to  succeed,  some  substitution  instance 
of  the  left  hand  side  of  the  rule  must  equal  y. 

2.  If  the  match  in  step  1 is  successful,  the  simplifier  applies  the  matching  substitution  from 

step  1 to  A*  and  attempts  tc  match  the  transformed  hypotheses  in  A*  against  hypotheses 
of  the  current  goal.  In  order  for  the  match  to  succed,  some  substitution  instance  of  the 
transformed  hypothesis  set  A*  must  be  a subset  of  the  current  goal’s  hypothesis  set. 

3.  If  the  match  In  step  2 is  successful,  the  simplifier  replaces  the  variables  in  the  rule’s 
hypotheses  by  their  bound  values  from  the  matching  operation  in  steps  I and  2 and  tries 
to  simplify  these  hypotheses  to  TRUE,  given  all  the  hypotheses  of  the  current  goal. 

i.  If  all  the  rule’s  hypotheses  simplify  to  TRUE,  then  the  rewrite  rule  is  applicable,  and  the 
simplifier  replaces  the  variables  in  the  right  hand  side  * of  the  rule’s  conclusion  by  their 
bound  values  from  the  matching  operation  and  substitutes  the  transformed  w for  y in  the 
current  goal. 

To  simplify  a goal,  the  simpltfter  first  simplifies  each  of  the  goal’s  hypotheses  and  then 
simplifies  the  conclusion.  If  one  of  the  hypotheses  simplifies  to  FALSE  or  the  conclusion 
simplifies  to  TRUE,  the  verifier  replaces  the  goal  by  { J | TRUE.  When  simplifying  a formula 
the  verifier  generally  follows  a 'top-down"  simplification  strategy,  applying  the  outermost 
matching  rule,  since  it  presumably  Is  the  most  general  applicable  transformation.  In' the 
Interest  of  efficiency,  this  strategy  is  not  followed  in  every  case. 

The  type  evaluator  computes  the  type  of  given  expression  y by  matching  y against  the 
current  goal’s  hypotheses,  type  rules,  and  syntax  lemmas.  To  match  the  expression  against  a 
type  rule  or  syntax  lemma,  the  type  evaluator  applies  essentially  the  same  matching  algorithm 
described  above  for  the  simplifier.  If  more  than  one  type  matches  y,  the  type  evaluator 
returns  the  Intersection  of  the  matched  types  as  the  expression’s  type. 

5.5  Demonstration  of  the  Verifier 

Asa  demonstation  of  how  the  verifier  works,  let  us  trace  through  a 'proof  of  correctness"  for 
a TYPED  LISP  program  which  sorts  a linear-list  of  natural  numbers  Into  non-decreasing 
order  by  successive  merging.  The  program  appears  below: 

type  list  ■ NIL  U consfcar:  natnum,  cdr:  list) 

[Comment:  type  list  Is  the  set  of  linear-lists  of  natural  numbers  (natnums)] 
type  llst_of_cons  ■ NIL  U join(hd:  cons,  tl:  list_of_cons) 

[Comment:  type  llst_of_cons  Is  the  set  of  linear-lists  of  non-empty  lists] 
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function  drop(l:  list):  llst_of_cons  a 
list  case  I of 
NIL: NIL 

cons:  join(cons(car(l),NIL),  drop(cdr(l))) 

[ Comment : transforms  list  I into  a linear-list  of  single-element  lists] 
function  lequal(x:  natnum,  y:  natnumh  boolean  a not  [ y e x ] 
declare  function  pair_merge(ll:  list_of_cons):  iist_of_cons 

[Comment:  declares  the  function  pair_merge  so  sortl  can  call  it;  the  parser  cannot  handle 
forward  references] 
function  sortlfll:  join):  list  a 
list_of_cons  et  c tl(ll)  of 
NIL:  hd(ll) 

join:  sortl(pair_merge(ll)) 

[Comment:  sorts  the  natnutns  contained  in  the  non-empty  list_of_cons  II  Into 
non-decreasing  order] 
function  sort(l:  list):  list  a 
list  case  I of 
NIL:  NIL 
cons:  sortl(drop(!)) 

[Comment:  sorts  the  list  I into  non-decreasing  order] 
declare  function  merge<ll:  list.  12:  list):  list 
function  pair_merge(ll:  list_of_cons):  list_of_cons  a 
list_of_cons  case  II  of 
NIL: NIL 

Joi  n:  list_of_cons  case  tl(ll)  of 
NIL:  II 

join:  join(merge(hd(ll),hd(tl(ll))),  palr_merge(tl(tl(ll)))) 

[Comment:  merges  successive  pairs  of  lists  in  the  list_of_cons  II] 
function  merge_cons(ll:  cons,  12:  cons):  cons 
function  merge(ll:  list,  12:  list):  list  a 
list  case  II  of 
NIL:  12 

cons:  list  case  12  of 
NIL:  II 

cons:  merge_cons(ll.  12) 

[Comment,  merges  lists  II  and  12  into  non-decreasing  order] 
function  merge_cons(ll:  cons,  12:  cons):  cons  a 

If  Iequal(car(ll),car(l2))  then  cons(car(ll),  merge(cdr(ll),l2)) 
else  cons(car(l2),  merge(ll,cdr(l2))) 

[Comment:  merges  non-empty  lists  into  non-decreasing  order] 

The  TYPED  LISP  functions  used  for  the  purpose  of  stating  and  proving  that  the  function 
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sort  is  correct  are  defined  below: 

function  length(ll:  list_of_cons):  natnum  ■ 
list_of_cons  case  II  of 
NIL:  ZERO 
Join:  suc(length(tl(ll))) 

[Comment:  determines  the  number  of  lists  in  the  list_of_con$  II] 
function  ordered_cons(l:  cons):  boolean  ■ 
list  case  cdr(l)  of 
NIL:  TRUE 

cons:  if  lequal(car(l),car(cdr(l)))  then  ordered_cons(cdr(l)) 
else  FALSE 

[Comment:  determines  whether  or  not  the  non-empty  list  I Is  non-decreasing ] 
function  ordered(l:  list):  boolean  ■ 
list  case  I of 
NIL:  TRUE 
cons:  ordered_cons(l) 

[Comment:  determines  whether  or  not  the  list  I Is  non-decreasing] 
function  list_ordered(ll:  list_of_cons):  boolean  ■ 
list_of_cons  case  II  of 
NIL:  TRUE 

join:  if  ordered_cons(hd(ll))  then  list_ordered(tl(ll)) 
else  FALSE 

[Comment:  determines  whether  or  not  every  list  in  the  list_of_cons  II  is  non-decreasing ] 
function  delete(n:  natnum,  I:  list):  list  ■ 
list  case  I of 
NIL:  NIL 

cons:  if  n equals  car(l)  then  cdr(l)  else  cons(car(l),  delete(n,cdr(l))) 

[Comment:  deletes  the  natnum  n from  list  I] 
function  member(n:  natnum,  I:  list):  boolean  ■ 
list  case  I of 
NIL:  FALSE 

cons:  if  n equals  car(l)  then  TRUE 
else  member(n,cdr(l)) 

[Comment:  determines  whether  or  not  natnum  n Is  a member  of  list  I] 
function  permutationdl:  list,  12:  list):  boolean  ■ 
list  case  II  of 

NIL:  12  equals  NIL 

cons:  if  member(car(ll),l2)  then  permutation(cdr(ll),  delete(car(ll),l2)) 
else  FALSE 

[Comment:  determines  whether  or  not  list  II  Is  a permutation  of  list  12] 
function  append(ll:  list,  12:  list):  list  ■ 
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list  case  II  of 
NIL:  12 


cons:  cons(car(ll),  append(cdr(ll),l2)) 
[Comment:  appends  list  12  to  the  end  of  list  II] 
function  list_append(l:  list_of_cons):  list  ■ 
Hst_of_cons  case  I of 


NIL:  NIL 


join:  append(hd(l),  list_append(tl(l))) 

[Comment:  appends  together  all  the  lists  in  1 into  a single  list] 
function  list_permutation(ll:  list_of_cons,  12:  list_of_cons):  boolean  ■ 
permutation(list_append(ll).  Iist_append(l2)) 

[Comment:  determines  whether  or  not  the  linear-lists  of  natnums  associated  with 
list_of_cons  II  and  12  are  permutations  of  each  other ] 


The  theorems  we  must  prove  to  establish  the  correctness  of  sort  are: 


theorem  *1  x:  list 

|-  ordered(sort(x)) 

theorem  *2  x:  list 

I-  permutation(sort(x),x); 


In  this  section  we  present  the  interesting  sections  of  the  verifier’s  proof  of  theorem  *1;  the 
complete  correctness  proof  appears  in  APPENDIX  1.  After  the  verifier  parses  the  program, 
it  generates  the  following  syntax  lemmas  asserting  that  each  function  in  the  program  is  total 
and  returns  a value  of  the  proper  type: 

[1]  I:  list 

h drop(l):  list_of_cons 

[-2]  x:  natnum.y:  natnum 
I-  lequal(x.y):  boolean 

[•3]  II:  list_of_cons 

I-  pair_merge(ll):  Hst_of_cons 

1-4]  II:  Join 

h sort  1(11):  list 


[-5]  I:  list 

h sort(l:  list):  list 
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[-6]  II:  cons,l2:  cons 

|-  merge_cons(H:  cons,!2:  cons):  cons 

[-7]  II:  list, 12:  list 

h merge(ll:  list, 12:  list):  list 

[-8]  II:  list_of_cons 
|-  length(ll):  natnum 

1-9]  I:  cons 

|-  ordered_cons(l):  boolean 

[-10]  I:  list 

|-  ordered(l):  boolean 

[-11]  II:  list_of_cons 

I-  list_ordered(ll):  boolean 

[-12]  n:  natnum, I:  list 
|-  de!ete(n,l):  list 

[-13]  II:  list.12:  list 

|-  permutation(ll,l2):  boolean 

[-14]  11:  llst.12:  list 

|-  append(ll,l2):  list 

[-15]  I:  list_of_cons 

h list_append(l):  list 

[-16]  II:  list_of_cons,l2:  list_of_cons 
h list_permutatlon(ll,l2):  boolean 


The  proofs  of  all  the  termination  lemmas  except  for  -4  (the  termination  of  the  function  sortl) 
are  very  easy  and  are  omitted  from  this  paper.  However,  since  sortl  uses  a non-trivial 
recursion  scheme,  the  proof  of  -4  is  slightly  more  complex,  requiring  the  following  lemmas 
(automatically  invoked  by  the  simplifier): 

rule  *1  y:  join 

•1  suc(ZERO)c|ength(y) 

|-  length(pair_merge(y))c|ength(y)»>TRUE 
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rule  *2  II:  Join 

|-  palr_merge(ll):  join 

We  omit  the  proofs  of  +1  and  +2;  both  are  easy.  The  proof  of  -4  relative  to  +1  and  +2 
appears  below: 

User  command:  prove  -4 

[Comment:  this  command  sets  up  -4  as  the  Initial  goal  to  be  proved] 

Verifier  response:  PROVINC  -4 
II:  join 

|-  sortl(ll):  list 
User  command:  induct  length(ll) 

[Comment:  this  command  applies  Induction  on  the  structure  of  the  value  of  length(ll)] 
Verifier  response:  NEW  COALS: 

[1]  II:  join 

•1:  length(ll):  ZERO 
«e!  [II’:  join 

length(ll’)c|ength(li) 

I-  sortl(H’):  list] 

|-  sort  1(11):  list 

SIMPLIFIES  TO: 

|- TRUE 

[2]  II:  join 

■1:  lengthfll):  sue 
fcl  [II’:  join 

length(ll’)clength(ll) 
h sort  1(11  j:  list] 

|-  sortl(ll):  list 

SIMPLIFIES  TO: 


ll.hd.car:  natnum.ll.hd.cdr:  list.ll.tl:  Hst_of_cons 
fcl  [II’:  join 

length(H’)c|ength(ll) 
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h sortl(ll’):  list] 

|-  sortl(join(cons(ll.hd.car, ll.hd.cdr), ll.tl)):  list 
1 COALS  REMAIN  TO  BE  PROVED 


The  formula  labeled  &1  is  the  generated  induction  hypothesis;  all  the  primed  variables  in  an 
induction  hypothesis  are  implicitly  universally  quantified  over  the  scope  of  the  hypothesis. 
The  simplifier  easily  reduces  the  first  goal  (the  base  step  of  the  induction)  to  |-  TRUE  since  II: 
join  implies  length(ll):  sue.  In  the  second  goal  (the  induction  step),  the  simplifier  exploits  the 
fact  that  II:  join  by  creating  new  variables  ll.hd.car,  ll.hd.cdr,  and  ll.tl  and  replacing  every 
occurrence  of  II  by  join(cons(ll.hd.car, ll.hd.cdr), ll.tl). 

User  command:  type  ll.tl 

[Comment:  this  command  performs  a case  split  on  the  type  of  the  variable  ll.tl] 

Verifier  response:  NEW  COALS: 

[1]  ll.hd.car:  natnum,  ll.hd.cdr:  list,  ll.tl:  list_of_cons 
•1  ll.tl:  NIL 

Sc  1 [II’:  join 

length(H’)c|ength(ll) 
h sortl(ll’):  list] 

f-  sortl(join(cons(ll.hd.car, ll.hd.cdr), ll.tl)):  list 
SIMPLIFIES  TO: 
h TRUE 

[2]  ll.hd.car:  natnum,  ll.hd.cdr:  list,  ll.tl:  llst_of_cons 
■1  ll.tl:  join 

fcl  [II’:  join 

length(ll’)c|ength(ll) 

|-  sortl(ir):  list] 

|-  sort  l(join(cons(ll.hd. car, ll.hd.cdr), ll.tl)):  list 
SIMPLIFIES  TO: 

|-  TRUE 


LEMMA  -4  PROVED  RELATIVE  TO  ASSERTIONS:  ♦!  *2 
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To  reduce  the  second  new  goai  to  f-  TRUE,  the  verifier  must  apply  rule  +1,  rule  +2,  the 
induction  hypothesis,  and  termination  lemmas  -3  and  -7  (which  the  verifier  already  knows 
are  true). 

The  proof  of  the  main  theorem  decomposes  into  three  stages.  For  the  first  stage  we 
need  the  following  lemma: 

rule  y:  join 

■1  list_ordered(y) 

|-  ordered(sortl(y))»>TRUE 

We  will  prove  +3  as  the  second  stage  in  the  proof  of  theorem  *1.  The  first  stage  of  the  proof 
proceeds  as  follows: 

User  command:  prove  ®1 

Verifier  response:  PROVING  ®1 
x:  list 

|-  ordered(sort(x)) 

User  command:  type  x 

[Comment:  this  command  does  a case  split  on  the  type  of  x] 

Verifier  response:  NEW  COALS: 

[1]  x:  list 

•1  x:  NIL 
|-  ordered(sort(x)) 

SIMPLIFIES  TO: 

|-  TRUE 

[2]  x:  list 

•1  x:  cons 
p ordered(sort(x)) 

SIMPLIFIES  TO: 

x.cdr:  list,  x.car:  natnum 

|-  ordered(sortl( join(cons(x.car,NIL),drop(x.cdr)))) 


I GOALS  REMAIN  TO  BE  PROVED 
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User  command  consequence  list_ordered(join(cons(x.car,NIL).drop(x.cdr))) 

[Comment:  this  command  applies  the  rule  of  consequence  using  the  specified  formula] 

Verifier  response:  NEW  COALS: 

[1]  x.cdr:  list,  x.car:  natnum 

•i  list _ordered(joi n(cons(x. car, NIL).drop(x.cdr))) 

|-  ordered(sortl(join(cons(x.car,NlL),drop(x.cdr)))) 

SIMPLIFIES  TO: 

TRUE 

[2]  x.cdr:  list,  x.car:  natnum 

b )ist_ordered(join(cons(x.car,NIL),drop(x.cdr))) 

SIMPLIFIES  TO: 

x.cdr:  list, x.car:  natnum 
(-  list_ordered(drop(x.cdr)) 

1 COALS  REMAIN  TO  BE  PROVED 

User  command,  induct  x.cdr 

[Comment:  this  command  applies  Induction  on  the  structure  of  x.cdr] 

Verifier  response:  NEW  COALS: 

[1]  x.cdr:  list,  x.car:  natnum 
•1  x.cdr:  NIL 

Jcl  [x.cdr’:  list, x.car’:  natnum 
•I  x.cdr’cx.cdr 

|-  list_ordered(drop(x.cdr'))*>TRUE] 
h list_ordered(drop(x.cdr)) 

SIMPLIFIES  TO: 

h TRUE 


[2]  x.cdr:  list,  x.car:  natnum 
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• I x.cdr:  cons 

8c  1 [x.cdr':  list.x.car’:  natnum 
•1  x.cdr'ex.cdr 

|-  list_ordered(drop(x.cdr’))«>TRUE] 

|-  list_ordered(drop(x.cdr)) 

SIMPLIFIES  TO: 

I-  TRUE 

PROOF  OF  ®1  RELATIVE  TO  THE  ASSERTIONS: 

The  proof  of  r 3 depends  on  the  following  lemmas: 

rule  *4  n.pred-  natnum 

|-  ZFRO<-Mir(»  pred) 

rule  -*5  y:  list,  of  cons 
• I list,  orderett(y) 

|-  llst_ordercrt(pair_ merge(y))»>TRUE 

rule  *6  p:  boolean,  x:  boolean 

(-  if  p then  x else  FALSE  ■>  p a x 

Since  the  proofs  of  +4  and  +6  are  very  easy,  they  are  omitted.  The  proof  of  +5  will  comprise 
the  third  and  final  stage  of  the  proof.  The  second  stage  of  the  proof  is: 

User  command:  prove  *3 

Verifier  response:  PROVING  *3 
y:  join 

*1  list,  ordered(y) 

|-  ordered(sortl(y)) 

User  command:  induct  length(y) 

[Comment:  this  command  applies  Induction  on  the  structure  of  length(y)] 

Verifier  response:  NEW  GOALS: 

[IJy:  join 

• I length(y):  ZERO 
•2  list_ordered(y) 
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&l  [y’:  join 
•1  length(yjc|ength(y) 

•2  list_ordered(y’) 

|-  ordered(sortl(y’))»>TRUE] 

|-  ordered(sortl(y)) 

SIMPLIFIES  TO: 

I-  TRUE 

[2]  y:  join 

•1  length(y):  sue 
•2  li$t_ordered(y) 
lei  ly’:  join 
•1  length(y’)c)ength(y) 

•2  Iist_ordered(y’) 
h ordered(sortl(y'))»>TRUEJ 
|-  ordered(sortl(y)) 

SIMPLIFIES  TO: 

y.tl:  list_of_cons,  y.hd.cdr:  list,  y.hd.car:  natnum 
•1  ordered_cons(cons(y.hd.car,y.hd.cdr)) 

*2  list_ordered(y.tl) 
tel  [y join 

•I  length(y’)clength(join(cons(y.hd.car, y.hd.cdr), y.tl)) 
•2  llst_ordered(y') 

(-  ordered(sort l(y ’))*>T RUE] 

|-  ordered(sortl(join(con$(y.hd.car, y.hd.cdr), y.tl))) 

1 COALS  REMAIN  TO  BE  PROVED 

User  command:  type  y.tl 

[Comment:  this  command  does  a case  split  on  the  type  of  y.tl] 

Verifier  response:  NEW  COALS: 

[1]  y.tl:  list_of_cons,  y.hd.cdr:  list,  y.hd.can  natnum 
■1  y.tl:  NIL 

a2  ordered_cons(cons(y.hd.car, y.hd.cdr)) 

•3  list_ordered(y.tl) 

*!  ly’:  join 

•1  length(y’)c|ength(join(cons[y.hd.car, y.hd.cdr), y.tl)) 
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•2  list_ordered(y’) 

|-  ordered(sortl(y’))»>TRUEJ 
h ordered(sortl(joln(cons(y.hd.car, y.hd.cdr), y.tl))) 

SIMPLIFIES  TO: 

|-  TRUE 

[2]  y.tl:  list_of._cons,  y.hd.cdr:  list,  y.hd.car:  natnum 
•1  y.tl:  join 

•2  ordered_cons(cons(y.hd.car, y.hd.cdr)) 

■3  list_ordered(y.tl) 

9ci  [y’:  join 

•1  length(y’)c|ength(join(cons(y.hd.car,y.hd.cdr),y.tl)) 

•2  list_ordered(y’) 

|-  ordered(sortl(y’))»>TRUE] 

|-  ordered(sortl(join(cons(y.hd.car, y.hd.cdr), y.tl))) 

SIMPLIFIES  TO: 

\-  TRUE 

PROOF  OF  *3  RELATIVE  TO  THE  ASSERTIONS:  *1  *2  *5 


The  final  stage  of  the  proof  of  theorem  *1  presented  in  this  demonstration  is  the  proof  of  +5. 
For  this  portion  of  the  proof,  we  need  the  following  lemma  about  merge_cons: 

rule  *7  xl:  cons,  x2:  cons 
•I  ordered_cons(xl) 

•2  ordered_cons(x2) 

|-  ordered_cons(merge_cons(xl,x2)) 

The  proof  of  +5  follows: 

User  command:  prove  *5 

Verifier  response:  PROVING  «5 
y:  list_of_cons 
■I  llst_ordered(y) 

h llst_ordered(pair_merge(y))»TRUE 


" 


User  command:  induct  y 


5.3  Demonstration  of  the  Verifier 

[Comment:  this  command  applies  induction  on  the  structure  of  y] 
Verifer  response:  NEW  COALS: 

[1]  y:  list_of_cons 
•1  y:  NIL 
•2  list_ordered(y) 

&l  [y’:  list_of_cons 

•1  y’ey 

•2  list_ordered(y’) 

f-  list_ordered(pair_merge(y’))«>TRUE] 

|-  list_ordered(pair_merge(y))*TRUE 

SIMPLIFIES  TO: 
h TRUE 

12]  y:  list_of_cons 
■1  y:  join 
•2  list_ordered(y) 

&I  [y’:  list_of_cons 

•1  y’ey 

•2  list_ordered(y') 

|-  list_ordered(pair_merge(y’))»>TRUE] 
h list_ordered(pair_merge(y)) 

SIMPLIFIES  TO: 

y.tl:  list_of_cons,  y.hd.cdr:  list,  y.hd.car:  natnum 
•1  ordered_cons(cons(y.hd.car, y.hd.cdr)) 

■2  list_ordered(y.tl) 
icl  [y’:  list_of_cons 

■1  y'cjoin(cons(y.hd.car,y.hd.cdr),y.tl) 

■2  list_ordered(y’) 

|-  list_ordered(pair_merge(y'))«>TRUE] 

|-  list_ordered( 

list_of_cons  case  of  y.ti 
NIL:  join(con$(y.hd.car, y.hd.cdr), y.tl) 
join:  join(merge(cons(y.hd.car, y.hd.cdr), hd(y.tl)), 
palr_merge(tl(y.tl)))) 
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User  command:  type  y.tl 

[Comment:  this  command  does  a case  split  on  the  type  of  y.tl] 

Verifier  response:  NEW  GOALS: 

[1] 

y.tl:  list_of_cons,  y.hd.cdr:  list,  y.hd.can  natnum 
•1  y.tl:  NIL 

•2  ordered_cons(cons(y.hd.car, y.hd.cdr)) 

•3  list_ordered(y.tl) 
del  [y’:  list_of_cons 
•1  y’cjoin(cons(y.hd.car,  y.hd.cdr),  y.tl) 

•2  list_ordered(y’) 

|-  list_ordered(pair_merge(y’))«>TRUE] 
t-  list_ordered( 

list_of_cons  case  of  y.tl 
NIL:  Join(cons(y.hd.car, y.hd.cdr), y.tl) 
join:  join(merge(cons(y.hd.car,y.hd.cdr).hd(y.tl)), 
palr_merge(tKy.tl)))) 

SIMPLIFIES  TO: 

I-  TRUE 

[2]  y.tl:  list_of_cons,  y.hd.cdr:  list,  y.hd.can  natnum 
■1  y.tl:  join 

■2  ordered_cons(cons(y.hd.car, y.hd.cdr)) 

■3  list_ordered(y.tl) 
del  [y’:  list_of_cons 
•1  y’cjoin(cons(y.hd.car,y.hd.cdr),y.tl) 

•2  list_ordered(y’) 

|-  list_ordered(pair_merge(y’))»>TRUE] 
h list_ordered( 

llst_of_con*  case  of  y.tl 
NIL:  join(cons(y.hd.car, y.hd.cdr), y.tl) 
join:  join(merge(cons(y.hd.car,y.lid.cdr)jid(y.tl)X 
pair_merge(tKy.tl)))) 

SIMPLIFIES  TO: 


I- TRUE 
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PROOF  OF  *5  RELATIVE  TO  THE  ASSERTIONS:  ♦ 7 


5.4  Capabilities  of  the  Verification  System 

The  sample  theorems  proved  in  the  previous  example  are  typical  of  the  theorems  which  the 
TLV  verifier  can  prove  with  a reasonable  amount  of  programmer  guidance.  Among  the 
other  theorems  I have  proved  using  the  verifier  are:  the  termination  of  a program 
implementing  a unification  algorithm  (assuming  all  variables  have  been  renamed),  the 
equivalence  of  an  iterative  algorithm  (using  a stack)  and  a simple  recursive  algorithm  for 
counting  the  leaves  of  a binary  tree,  the  total  correctness  of  an  extended  version  (including 
assignment)  of  the  McCarthy-Painter  compiler  for  arithmetic  expressions  [McCarthy  and 
Painter  1967],  and  the  total  correctness  of  a very  simple  set  of  data  base  management 
functions.  An  extensive  set  of  examples  appears  in  APPENDIX  1. 
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CHAPTER  6 
FURTHER  WORK 


6.1  Improving  the  verification  system 

While  the  TYPED  LISP  Verifier  Is  capable  of  proving  many  moderately  hard  theorems  with 
relative  little  user  guidance,  it  has  many  deficiencies.  In  many  cases,  the  current 
implementation  places  too  large  a burden  on  the  user.  Proving  a theorem  about  a non-trivial 
TYPED  LISP  often  requires  proving  a multitude  of  trivial  lemmas  (particularly  syntax 
lemmas)  which  could  be  proven  completely  automatically.  In  the  TYPED  LISP  verification 
system,  however,  the  user  must  manually  prove  every  single  trivial  lemma  (or  accept  it  on 
faith).  Although  the  proofs  Involved  are  very  short— usually  only  one  or  two  steps — it  is 
annoying  for  the  user  to  have  to  worry  about  proving  trivial  lemmas  at  all.  Const quently,  the 
system  would  be  enhanced  by  the  addition  of  a fast  automatic  theorem  prover  which  would 
attempt  to  prove— within  a designated  time  limit— all  of  the  syntax  lemmas  and  any  other 
lemmas  or  theorems  designated  by  the  user.  While  many  simple  theorems  inevitably  would 
stump  the  automatic  prover,  many  would  be  proved  without  requiring  any  user  attention. 

Another  aspect  of  the  verification  system  which  could  be  significantly  Improved  is  the 
goal  simplifier.  Frequently,  the  simplifier  fails  to  simplify  a goal  to  TRUE  because  it  expands 
a function  call  too  soon,  preventing  a rule  match.  Following  a strict  top-down  simplification 
strategy  tends  to  minimize  this  problem— but  at  the  prohibitive  cost  of  exceedingly  slow 
execution.  Even  when  following  a faster,  less  effective  simplification  strategy  the  simplifier 
runs  very  slowly.  In  the  course  of  simplifying  a goal,  the  simplifier  continually  repeats 
simplifications  and  type  computations  it  has  already  performed— executing  the  same  laborious 
pattern  matches  each  time.  A hashed  representation  for  formulas  and  expressions  would 
solve  this  problem.  With  hashed  representations,  the  simplifier  could  build  tables  storing  the 
simplified  form  or  computed  type  for  an  expression  after  determining  it  once.  Subsequent 
attempts  to  simplify  an  expression  or  compute  its  type  would  find  the  answer  stored  in  the 
table.  Unfortunately,  the  language  in  which  the  verifier  is  implemented,  UCI  LISP,  has  no 
convenient  hashed  representation  for  formulas  or  expressions. 
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6.2  Proving  Theorems  About  Partial  Functions 

At  this  point  in  time,  none  of  the  theorems  proved  on  the  verifier  involve  partial  functions. 
As  1 argued  In  Section  3.3,  partial  functions  aren’t  necessary  for  most  practical  programming 
applications.  But  there  are  important  exceptions.  For  example,  proving  the  correctness  of  a 
compiler  for  a universal  language  (in  the  sense  of  Church’s  Thesis),  is  a significant  practical 
application  requiring  the  use  of  partial  functions.  The  interpreters  defining  the  semantics  of 
the  source  and  target  languages  cannot  be  expressed  as  total  functions  on  recursive  types.  In 
order  to  prove  interesting  theorems  about  partial  functions  in  the  deductive  system,  the  partial 
function  definitions  must  have  unique  least  call-by-value  fixed-points.  If  the  definitions  are 
written  so  the  partial  functions  compute  entire  computation  sequences  rather  than  single 
values,  then  they  will  have  a unique  least  fixed-point.  I hope  to  use  this  approach  to  prove 
the  correctness  of  a compiler  for  a simple  procedural  language  including  arithmetic 
expressions,  assignment,  and  while-loops. 


6.3  Extending  TYPED  LISP 

LISP,  in  all  its  current  incarnations,  is  a seriously  flawed  language  for  verification  purposes. 
In  contrast  to  PURE  LISP  and  TYPED  LISP,  the  implemented  versions  of  LISP  have 
intractable  semantics  because  they  include  numerous  features  designed  to  make  the  language 
more  comprehensive  and  efficient.  On  the  other  hand,  neither  PURE  LISP  or  TYPED  LISP 
is  a suitable  language  for  most  symbolic  computing  applications.  They  are  too  restrictive. 
There  is  a glaring  need  for  a variant  of  LISP  which  includes  enough  practical  features  for 
most  symbolic  computing  applications  (such  as  program  verification  systems),  yet  excludes 
constructs  with  unmanageable  semantics.  I think  TYPED  LISP  would  make  an  excellent 
starting  point  for  such  a language.  As  I pointed  out  in  Section  1.3,  user-defined  data  types 
can  significantly  simplify  the  task  of  writing  and  verifying  programs  which  manipulate 
symbolic  data.  I would  like  to  see  an  extended  version  of  TYPED  LISP  implemented, 
including  the  following  features  not  present  in  the  current  TYPED  LISP  language. 

1.  Input/output  operations. 

2.  Global  variables. 

3.  Table  functions  (equivalent  to  attaching  properties  to  arbitrary  data  objects). 

4.  Data  type  definitions  creating  types  which  are  unions  of  all  defined  types  fitting  a 
particular  scheme  (permitting,  for  example,  a single  append  function  for  data  types  which 
have  the  form  of  a list). 

5.  Data  type  definitions  creating  types  which  are  arbitrary  recursive  subsets  of  defined  types. 

6.  Some  means  for  conveniently  treating  programs  as  data. 
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A 1 


APPENDIX  I 
SAMPLE  PROOFS 


A 1.1  Example  1:  Iterative  REVERSE 

proyraa  ravl; 

type  list  s N'.L  U contlcari  stout,  edrt  list) 

function  apptxs  list,  yt  IlsOt  list  s 
1 1st  easa  x of 
NILt  y 

const  cons (car (x) , app (edr (x)  ,y) ) 

function  ravKxt  list,  yt  llsl)i  list  a 
list  cass  x of 
NILt  y 

const  ravl  (edr  (x) , com  (ear  (x)  ,y) ) 

function  rav(xt  list)!  list  ■ rsvl(x.NIL) 

■ 

THE  FOLLOUING  SYNTAX  LEKHRS  HAVE  BEEN  GENERATED  BY  THE  PARSER t 
(-11 

xt  I Ist.yi 1 1st 
|-  app(x,y>  i 1 1 s 1 1 

1-2) 

xt  I Ist.yi 1 1st 
|-  rsvl (x,y)  i 1 1 s 1 1 

(-3) 
xi 1 1st 

| - rav(x)  i 1 1st i 


tfiaorsa  al 
xi t 1st 

|-  rsv(rav(x) )*x| 
THEOREM  1 ACCEPTED 


rula  *1 

xi I Ist.yi 1 1st 

| - ravl  (ravl  (x,y>  ,NIL)»ravl  (y,x>  | 


♦1  ACCEPTEO 


A l.l 
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provs  • 1 1 

PROVING  al 
xi 1 1st 

|-  rav(rav(x))»x 
CURRENT  GOAL! 

m 

xi 1 1st 

|-  rsvtrsvtx) )«x 

S1MPL IF IES  TOi 

TRUE 

PROOF  OF  si  RELATIVE  TO  THE  ASSERTIONSi 
♦1 

UNPROVED  RULESi  *1 

UNPROVED  SYNTAX  LEWASi  -3  -2  -1 

qsd| 


provs  *1 | 

PROVING  + 1 
xi  I Ist.yi 1 1st 

|-  rsvl (rsvl (x.y) ,NIL)»>rsvl (y , x> 


Induct  x < I 


NEU  GOAL Si 
111 

xi  I Ist.yi 1 1st 
#1  x t NIL 
<1  Ix'i  llst.y’i 1 1st 
#1  x’  C X 

| - rsvl (rsvl (x‘ ,y* ) ,NIL)»>rsvl (y* , x*  >) 
| - rsvl (rsvl <x,y) ,NIL)«rsvl (y,x) 

SINPLIFIES  TO i 

TRUE 

121 

xt  I Ist.yi 1 1st 
#1  x i cons 
(1  tx’ 1 1 1st ,y’ 1 1 1st 
#1  X*  C X 

| - rsvl (rsvl (x’,y’),NIL).>rsvl (y’ ,x’)l 
| - rsvl (rsvl <x,y) ,NIL)»rsvl(y,x) 

SIMPLIFIES  TO i 

TRUE 

PROOF  OF  *1 

UNPROVE 0 SYNTAX  LEfNNtti  -3  -2  -1 
qsd| 


provs  -1 | 


PROVING  -1 
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xt  I lit.yi 1 1st 
| - app(x.y)  i 1 1st 


Induct  xl 


NEW  GOALS i 

tn 

Xi  I lit.yi I i s « 

# 1 x i NIL 
<1  tx’i  lilt, y’l list 
/I  x*  e x 

|-  ipplx* ,y’>  i I Id) 
|-  ipplx, y>  i 1 1st 

SIMPLIFIES  TOi 


TRUE 

(2) 

xi  I lit.yi I let 
#1  x i coni 
<1  tx’i I lit.y’i I lit 
#1  x’  c x 

|-  ipp(x’,y’>  i I lit) 
| - «pp (x,y)  i lilt 

SIMPLIFIES  TO i 


TRUE 

PROOF  OF  -1 

UNPROVED  SYNTAX  LEMMAS i -3  -2 
qid| 


provi  -2 1 

PROVING  -2 

xi I lit.yi I lit 

|-  rivi  (x,y)  t Hit 


Induct  xl 


NEU  GOALSi 
HI 

xi I lit.yi I lit 
tl  x i NIL 
(1  tx' i 1 1 s t , y ' i I lit 
#1  x’  c x 

| - nvl  Ix'.yM  I I lit) 
| - nvl  (x,y)  I I lit 

SIMPLIFIES  TOi 


TRUE 

12) 

xi  I lit.yi I lit 
/I  x i com 
<1  (x'lllit.y’illit 
II  i1  c i 
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|-  nvl (*’ ,y’ ) i lilt) 

|-  ravl <x,y)  i I lit 

SIMPLIFIES  TOi 

TRUE 

PROOF  OF  -2 

UNPROVED  SYNTAX  LEHTWSi  -3 

q«d| 


prove  -31 

PROVINC  -3 
xi  I lit 

|-  nv(x)  i lilt 
CURRENT  COOL, 
til 

xi I lit 

|-  rivlx)  i Hit 
SinPLlFIES  TO i 

TRUE 

PROOF  OF  -3 
qid) 


A 1.2  Example  2:  Total  correctness  of  FLATTEN 

program  nt  tit j 

type  trii  ■ atom  U jolndefti  tru,  right.'  Irn) 
type  111.'  • NIL  U conilcin  atoe,  cdri  lilt) 

function  lnt_»  litltti  tru,  li  I lit)  I lilt  ■ 
tru  cm  t of 

Itoiai  coni(t,l) 

Joint  fait.f  latl  deft  d),fait_flati  (right  d),l>> 
function  f 11 1 _f  lit  ( 1 1 trn)i  Hit  « fnt_f  I It  1 (t.NIL) 
function  appindtlli  lilt,  I2i  llit)i  lilt  ■ 

1 lit  cm  1 1 of 
NIL  i 12 

com  t com  (car  (11),  tppind  (cdr  (1 1 ) , 12) ) 
function  ilou_flat(ti  tm)i  lilt  ■ 
tru  cm  t of 

■ tom  com(t,NIL) 

Joint  append (•  I eu_f  lit  dif  t (t)>,elow_f  lat  (r  Ight  ( t) ) > 

m 

THE  FOLLOUINC  SYNTAX  LENKAS  HAVE  BEEN  GENERATED  BY  THE  PARSER i 

t-U 

t ■ traa,  1 1 1 lit 

|-  fait.f  latld,  I)  t I lit | 

1-21 
ti  tru 

|-  fait.flattt)  i Hitt 
1—31 

I It  I lit, 1 2 1 1 lit 
| - appond(ll,l2)  i I lit) 
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I— 41 
1 1 t raa 

|-  c Iom_I I • t (t ) t 1 1 ■ 1 1 


provt  -lj 

PROVING  -1 

ti traa, It  list 

|-  faat_(latl(t,l>  i Mat 


I nduc t t I 


NEU  GOAL Si 
III 

ti Iraa,  li I • a t 
#1  4 ■ atoa 
<1  (I  ’ i traa, 1’illal 
II  «>  c t 

|-  laat_f  latld* , I')  i llal) 
|-  laat_l latld,  I)  i lit*. 

SIMPLIFIES  TOt 


TRUE 

12) 

1 1 traa,  1 1 Mat 

II  I i Join 

SI  (I ' i traa, l*i I la* 

#1  t*  e I 

|-  faa«_«latl(t’,r>  i Hal) 

|-  *aat_»  latld,  l)  i Hat 

SIHPLIFIES  TO i 

TRUE 

PROOF  OF  -X 

UNPROVED  SYNTAX  LEMMASi  -4-3-2 
qad| 


prova  -2 | 

PROVING  -2 
ti traa 

|-  *aat_tlat(t)  i Hat 


I 


NEU  GOALSi 
tl) 

t i traa 

|-  faat_t lat <t)  i Hat 
SIMPLIFIES  TOt 

TRUE 

PROOF  OF  -2 

UNPROVED  SYNTAX  LEMMASi  -4  -3 


A 1.2 
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q*d| 


prove  -3j 

PROVING  -3 

Hi  11*1,  I2i  M. I 

|-  append  (II,  12)  i Mat 


I nduc t 111 


NEU  COOLS, 

11) 

111  1 1*1, 12* I lit 

#1  II  i Nit 

<1  tll'i  I l*t, 12', list 

#1  i r c ii 

I-  appendin’,  12’)  i 11*1) 

|-  append  111,  12)  i I in 
SIMPLIFIES  TO i 


TRUE 

121 

111  1 1*1, 1 2 1 I l*t 
II  II  i cons 
<1  1 1 1 ’ ■ 1 1st , I2> i 1 1st 
#1  II’  c II 

|-  appendin’,  12’)  i list) 
|-  append! 11, 12)  i 1 1*1 

SIMPLIFIES  TOi 

TRUE 

PROOF  OF  -3 

UNPROVED  SYNTAX  LEMMASt  -4 
qedt 


prove  -4 | 

PROVING  -4 
• i tree 

|-  a Iom_) lat  It)  i list 


I nduc  1 1 1 


NEU  GOALS i 
tl) 

1 1 tr  as 
11  I i a to* 

<1  It 'lira* 

#1  t’  e t 

|-  slou.f lat It’)  i list) 
|-  slou.tlattt)  i list 
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sinpLiriES  to * 
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TRUE 

(21 

ti traa 
#1  1 i join 
«1  (ft  traa 
#1  f e t 

|-  alow_f lat  (t ’ > i list) 
|-  SlOH_<l«t(t>  i list 

SIHRLIFIES  TO i 


TRUE 

PROOF  OF  -* 
q*d| 


thaoraa  *1 
<i traa 

|-  faat.f lat (t)-»loa_) lat tt)| 
THEOREH  I RCCEPTEO 


rula  *1 
li traa, It  I lat 

|-  faat_f latltt,  l>«>appandtalon_llat(t),  l)| 
4l  RCCEPTEO 


prova  *1| 

PROVINC  4l 
ti traa, I > I lat 

|-  faat_<  latltt,  l)«»appandtalot(_l  lat  (t),  I) 


I nduc  t t < I 


NEU  GORLSt 
til 

ti traa, It  I lat 
/I  t i a 1 oft 
•1  tt’itraa.I’illat 
II  I’  t t 

|-  taat_f latltt' , l’)«>appand(aleH_l lat (t*»,  l’>l 
|-  f aa t_« latltt,  l>aappandfale«_f lat ft),  I) 

S1HPL IF IES  TOi 


TRUE 

(2) 

1 1 traa, 1 1 I lat 
/I  t i Join 
<1  It ’ i traa,  I ’ 1 1 lat 
II  I'  c t 

|-  faat_l tail  ft',  I ’)»»appand(alo«_l lat It1),  I'll 
|-  »aat_l  latltt,  l).appand<ilon_t lat  tt),  I) 

StltPLlFIES  TOt 

t .right t traa, t.  lal  ti  traa,  It  I lat 
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SI  It' ■ traa,  I' i Mat 

#1  I'  c Jo ln(t.lalt,t. right) 

|-  la* t_l  la 1 1 ( t ’ , I ’ ) oappand (i lou_f lot (t ’ ) , I ’ )) 

|-  appand  (a  Iom_«  lit  (t.  la  ft ) .appand (a low.l  lat  (t.r Ight) , I )> .appand (appand ( 
a Iom.  I lat ( t . lal  t ) , a lo«_t lat ( t .r Ight ) ) , I) 

I GOALS  REAR  IN  TO  BE  PROVEO 

CURRENT  GORLi 

t. right: traa, t. lal ti traa,  I:  I lat 

II  It’itraa,  I’l  Mat 

#1  t'  c Joint!. lalt, t. right) 

|-  f aa t I latltt*, I ’ )>>appand(a lou_f lat (t  ’ ) , I ’ )] 

|-  appand  (a  lou_l  lat  (I.  lal  t ) , appand  (a  Iom_(  lat  (t.  right),  I )) -appand  (appand  ( 
alou_t  lat  (t.  lalt  ),alOH_t  lat  (t.rlghtM,!) 


rula  +2 

x: I lat,y: I lat, zi I lat 

|-  appand (appand (x, y) , z).>appand (x, appand (y,z) ) I 
♦2  ACCEPTED 
CURRENT  GOAL: 

(1) 

t .r Ight : traa, t . lalt: traa, 1 1 1 lat 
11  It  ’ : traa,  I ' t Mat 

#1  t’  c jolnlt. lalt, t. right) 

|-  taa t_(  lat 1 < t ’ , I ’ )«>appand(a Iom_I lat ( t ' ) , I’) I 
| - appand  (a  Iom  _l  lat  (t . lat  t >, appand (a Ioh_(  lat (t .r Ight) , I )) .appand (appand ( 
a Iom_I lat (t. lal t) , a Iom_I  lat (t. right)),  I) 

SIMPLIFIES  TO: 


TRUE 

PROOF  OF  +1  RELATIVE  TO  THE  ASSERTIONS) 
♦2 

UNPROVED  THEOREM  i al 
UNPROVED  RULESt  *2 

gad  | 


prova  al I 

PROVING  al 
t: traa 

|-  laat_f lat (t)-a lou_l lat (t) 

CURRENT  CORE: 

(1) 

t: traa 

|-  (aa t_l  lat ( t )>a lo«_l lat ( t) 

SIMPLIFIES  TO: 

It  traa 

|-  appand <1 lou_llat (1) ,NIL).a Iom  flat(t) 
1 COALS  REMAIN  10  BE  PROVED 

CURRENT  GOAL: 

It  traa 

| - appand  (a  low_l  lat  (t)  ,NlLUalow_l  lat  (t) 
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XI  I lit 

|-  append (x,NlLW>x I 
♦3  ACCEPTED 
CURRENT  COAL i 
til 

ti tree 

|-  append (a Ioh_I  lat  It) ,NIL)>e lo«_f lat (t) 
SIMPLIFIES  TOt 


TRUE 

PROOF  OF  al  RELATIVE  TO  THE  ASSERTIONSi 
♦3  *2 

UNPROVED  RULESi  *3  *2 
qed| 


prove  *2 i 

PROVINC  *2 

xi I let,yt I let, ii I let 

| - append (append (x, y ) , i) •>append (x , append (y , t ) ) 


Induct  xl 


NEM  COAL Si 
(II 

xi I let.yi I let, II I let 
#1  x i NIL 

<1  tx’i  I Ist.y'i I lct,z'i  1 1st 

II  X1  C X 

|-  append  (appendix*  ,y’  > ,z’ ) •appendix’ , append (y’ ,z’ ) ) ■>  TRUE! 
I-  append  (append  <x,y),  z ) -appendix,  append  (y,i>> 

SIMPLIFIES  TOi 


TRUE 

(21 

xi  I let ,yt  I let, zi I let 
#1  x i cone 

<1  lx’ i I let.y’ 1 1 let.i’i I let 
#1  x’  c x 

|-  append  (append (x * , y ’ ) , i * ) • append (x’ , append (y1 , t * I ) e>  TRUE1 
| - append  (append  (x , y ) , i ) « append  (x , append  (y , z )) 

SIMPLIFIES  TOi 


TRUE 

PROOF  OF  +2 
UNPROVED  RULES i »3 

qed| 


prove  *3) 

PROVINC  43 
xi I let 

|-  appendix, NIL)«>x 


A 1.2 


Example  2:  Total  correctness  of  FLATTEN 


Page  83 


Induct  x «l 


NEU  CORLS i 
(11 

xi 1 1st 
#1  x i NIL 
«1  Ix'ilist 

II  x’  C X 

|-  append (x’ ,NIL)>>x'I 
|-  «pp«nd(x,NIL).x 

SIMPLIFIES  TOi 


TRUE 

(21 

xi 1 1st 
# 1 x i cons 
SI  Ix'ilist 
#1  x'  C X 

|-  appendix' ,NlL)e>x'I 
|-  appendix, NIL).* 

SII1PLIFIES  TOi 


TRUE 

PROOF  OF  *3 
qsd! 


A 1.3  Example  3:  Total  Correctness  of  Sorting  bj  Merging 

prograai  sortli 

typo  list  s NIL  U eons<carinatnus,edn  1 1st) 
typo  llst_o!_cons  s NIL  U Jo  In (hdicons, 1 1 1 1 lst_ol_eons) 
function  drop ( 1 1 1 Is t) 1 1 Is t_of_cons  a 
1 1st  case  I of 
NILi  NIL 

const  Jo  In (cons (car ( I ) ,NIL) .droplcdr 1 1 >)  > 
daclars  function  lequal  (xinatnuai,yinatnua)  iboclsan 
function  ordsrsd_cons( I icons) iboolaan  a 
1 1st  csss  cdr(l)  of 
NIL t TRUE 

const  If  I aqua  I (card),  car  (cdr(l))>  than  ordered_cons (edr ( I ) ) 
a Isa  FRLSE 

function  ordarad ( 1 1 1 1st) iboolaan  a 
list  casa  I of 
NIL i TRUE 

const  ordsrad.cons ( I ) 

function  I Is t_ordered( 1 1 ■ I lst_of _cons) iboolaan  a 
llst_of_cons  casa  II  of 
NIL i TRUE 

Joint  II  ordarad_eons(hd(l I))  than  I lst_ordarad(tl  (I  I)) 
a Isa  FRLSE 

daclara  function  palr_parga (till lst_of_cons) i I lst_ef_cons 
function  sor tl ( 1 1 1 Join) 1 1 1st  a 
llst_of_cons  casa  tl(ll)  of 
NILi  hd(lf) 

Joint  sortl(palrj»rga(l  I)) 
function  sort (1 1 1 1st) ■ 1 1st  s 
1 1st  casa  I of 
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NIL:  NIL 

cons:  «or t 1 (drop ( I ) ) 

lunc  t Ion  langthd  1 1 I lst_of_cons>  inatnua  ■ 
list  of  cons  cast  II  of 
NILi  ZERO 

Join:  sue ( Isngth ( 1 1 ( I I ) ) ) 

• 

THE  FOLLOUING  FUNCTIONS  RRE  UNDEFINED) 
p« Ir  jsarga 
I aqua  I 

THE  FOLLOUING  SYNTAX  EXCEPTIONS  HAVE  BEEN  GENERATED  BY  THE  PANSENf 

(all 

1 1 1 Jo  In 

#1  tl(ll)  ■ Join 

|-  pa  Irjaarga ( 1 1 > ■ joint 

U21 
I ) cons 

|-  drop(l)  i Join) 

THE  FOLLOUING  SYNTAX  LEHflAS  HAVE  BEEN  GENERATED  BY  THE  PARSER) 

(-11 
I ) 1 1st 

|-  drop ( I ) ) I lst_of_cons| 

1-21 

xinatnuia,yinatnuBi 
| - lsqu»Ux,y>  i boolsant 

t— 31 

I )  cons 

|-  ordsrsd.cons (I ) i boolsant 

1-41 
I > 1 1st 

| -• ordsrsd  ( I ) > boolsant 
t-Sl 

II) 1 lst_of_cons 

|-  I Is f_ordsrsd ( 1 1 ) ) boolsant 

(-61 

11)1 l»t_of_eons 

|-  palr_osrgsd  I)  ) I lst_of_eons| 

(-71 
1 1 ) Jo  In 

|-  sort  Id  I)  i list) 

(-81 

I)  1 1st 

|-  sort (I)  ) I 1st | 

(-91 

II) 1  lat_of _cons 

| - langthd  I)  > natnuai 


program  par nl j 

dsclars  function  parnutat  londl)  1 1st,  12) list) ) boolsan 
dsclara  function  appand(ll) 1 1st,  12) I Is  t > I list 
function  I Ist.appsndd  1 1 ist_of_cons)i  list  ■ 
list_of_cons  eass  I of 
NIL)  NIL 

Jolm  appsnd(hdd) , 1 1 s t _appsnd ( 1 1 d))l 
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function  list  .porautat  ion  ( I li  I lst_of_cons,  1 2 1 Mst_.of.cons)  i boo  I tan  ■ 
ptrmutat  ion(l  is t_app«nd ( 1 1) , I is t.sppsnd ( 12) ) 

m 

THE  FOLLOUINC  FUNCTIONS  ROE  UNOEFINEDi 

append 
permute  t Ion 
pa lr_eerqe 
I aqua  I 

THE  FOLLOUINC  SYNTAX  LEHHAS  HAVE  BEEN  GENERATED  BY  THE  PARSER i 
1 — 101 

lit  1 1st, 12: 1 1st 

|-  permits t ion ( 1 1, 12)  ■ boolean) 

1-111 

I It  1 1st,  1 2 1 1 1st 
|-  appendlll, 12)  ■ 1 1st) 

1—121 

I t I Ist_o1_cons 

|-  I Is t_append ( I ) ■ list) 

1—131 

lit  I lst_ot_cons, I2t I lst_ot_cons 
|-  I ist_pereutat lonlll, 12)  t boolean) 


theore*  el 
x: 1 1st 

|-  ordered (sor t <x> ) | 
THEOREH  1 ACCEPTED 


theore*  e2 
xi I let 

|-  pereutat Ion (sor t (x) ,x)«TRUEj 
THEOREH  2 ACCEPTED 


rule  el 
yi Join 

II  sue (ZERO)  c lenyth(y) 

| - length (pa Ir jserye <y> ) e length(y)»>TRUE) 
♦1  ACCEPTED 


rule  *2 
1 1 ■ Jo  In 

|-  pa i rjeerge ( 1 1 ) i Join) 
♦2  ACCEPTEO 


rule  *3 
y: Join 

#1  I Is t_ordered (y) 

|-  ordered (sor tl (y))e»TRUE| 
♦3  ACCEPTED 


prove  el) 

PROVING  el 
xt 1 1st 

| - ordered (sor t (x) ) 


type  xl 


A 1.3 
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NEU  GOAL St 
tlJ 

xi 1 1st 

#1  X t NIL 

| - ordsrscHsort  <x>) 

SIMPLIFIES  TO i 


TRUE 

(2) 

xi  1 1st 

II  x t coni 

|-  ordarad (tor t (x) ) 

SIMPLIFIES  TO i 

x.  cdn  1 I s t , x.  can  natnua 

|-  ordarad (tor tl  (Jo  in  (cons  (x.  car,  NIL) , drop  (x.cdr) >)) 
1 COALS  REMAIN  TO  BE  PROVED 

CURRENT  COAL i 

x.  cdr  i 1 1 ■ t , x.cannatnua 

|-  ordarad  (sor  1 1 ( Jo  In  (cons  (x.  car , NIL)  .drop  (x.cdr) ))  ) 


eonaaquanea  1 Is (.ordarad ( Jo  In  (eons  (x. car , NIL) .drop (x.cdr) ) ) I 

NEU  GOALS: 

11) 

x. cdr i I I st , x.cannatnua 

II  I lst_ordsrsd(Joln(cona(x.car,NIL)  .drop (x. cdr) ) ) 

|-  ordarad  (sortl  ( Jo  In  (cons  (x.car,  NIL)  .drop(x.cdr)))) 

SIMPLIFIES  TOi 


TRUE 

(2) 

x.cdn  1 1 st,  x.cannatnua 

|-  I lst_ordarad( Jo  In (cons (x.car .NIL) ,drop(x. cdr) )) 

SIMPLIFIES  TOi 

x . cdn  1 1st , x.cannatnua 
|-  I Is t.ordarad (drop (x. cdr) > 

1 GOALS  REMAIN  TO  BE  PROVEO 

CURRENT  GOAL i 

x.cdn  1 1st, x.cannatnua 

|-  I lst_ordarad(drop(x.edr)) 


Induct  x.cdrl 
NEU  GOALS i 
III 

x . cdri  1 1 s t , x . cart na tnua 
#1  x.cdr  i NIL 

<1  tx.edr’i  I Ist.x.car’ inatmia 
#1  x.cdr’  e x.cdr 

I-  I Is t .ordarad (drop (x. cdr’ >).>TRUE) 
| - 1 1st .ordarad (drop (x.cdr)) 


A 1.3 


Example  3:  Total  Correctness  of  Sorting  by  Merging 


Page  87 


SIMPLIFIES  TOi 


TRUE 

(2) 

x.cdr:  I I s t , x.  can  natnue 
#1  x.cdr  i cons 
(1  tx.cdr’ 1 1 Ist.x.car’ i natnue 
#1  x.cdr’  c x.cdr 

|-  I lst_ordered(droptx.cdr’))a>TRUE) 
|-  I is t_ord«rsd (drop (x.cdr) ) 

SIMPLIFIES  TO i 


TRUE 

PROOF  OF  si  RELRTIVE  TO  THE  RSSERTIOMSi 
♦3 

UNPROVED  THEOREMS i *2 
UNPROVED  RULES t *3 

UNPROVED  SYNTAX  LEMMRSi  -13  -12  -11  -li  -9  -9  -7  -«  -5  -4  -3  -2  -1 


qsd| 

ruls  ♦ * 
n.predtnatnun 

|-  ZERO  c sue tn. prod) «>TRUEi 
♦4  ACCEPTED 


ruls  +S 

yi I ltl_of_eons 

/I  I lst_ordsrsd(y) 

| - I lst_ordsrsd(palrjssrfa(y>)a>TRUE| 
♦5  RCCEPTEO 


ruls  +6 

p i boo  I san , x i boo Issn 
| — If  p than  x alas  FALSEaxp  and  x| 
♦6  ACCEPTED 


prove  +3 | 

PROVING  *3 
yi Join 

#1  I lat_ordar«d(y) 

|-  ordsradlsor tl (y) )*>TRUE 


Induct  lenqtMy)  <1 
NEU  COALSi 
(1) 

yt  Join 

/I  length (y)  i ZERO 
#2  I lst_ordered(y> 

<1  ty’ijoln 

#1  lenqth(y’)  c length(y) 

H I lst_ordered(y’l 
| - ordered (sort  1 <y * ) )»>TRUE) 
|-  ordered fsorU(yl). TRUE 

SIMPLIFIES  TO i 


TRUE 
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(2) 

y i Join 

#1  length (y>  i cue 
#2  I let.ordered <y> 

<1  ly’ i Join 

#1  length(y’)  c length(y) 

#2  I l«t_ordered(y’ > 

ordered (*ortl (y’ ) )»>TRUE1 
|-  ordorod (tor tl (y) ) •TRUE 

SIMPLIFIES  TO i 

y.  1 1 1 1 1 *t_of_con», y.hd.cdr 1 1 l*t  ,y.  hd.  ear  inatnuin.y ) Join 
#1  ordorod_con* (eon* (y.hd. e»r, y.hd.cdr) ) 

S2  I l*t_ord«r«d(y. tl) 

SI  ly’ijoln 

#1  lonqtMy’)  c length! Jo ln(con* (y.hd. car, y.hd.cdr) ,y. 1 1)> 
#2  I I* t_ordor*d <y ’ > 

|-  ord*r*d (tor (l (y’ ) )«>TRUEI 
|-  ordered  (*ortl  ( Jo  In  (con*  (y.hd.  car,  y.hd.cdr),y.  1 1))> 

1 COOLS  REMAIN  TO  BE  PROVED 

CURRENT  GOAL! 

y. 1 1 > I l*t_ot_con», y.hd.cdr)  I l*t,y.hd.cartnatnua,y> Join 
#1  ordered_con*  (con*  (y. hd. car , y.hd.  edr) ) 

#2  I l*l_order»d(y. 1 1) 

SI  ly’ : Join 

/I  length (y' ) c lang th ( Jo  In (con* (y.hd. car .y.hd.cdr) ,y. t () ) 
#2  n*t_ord*rad(y’> 

|-  ordered (eortl <y’ > )»>TRUEI 
|-  or  derad  (*or  tl(  Jo  I n (con*  (y.hd.  ear,  y.hd.cdr ) ,y.  1 1))) 


type  y. 1 1 I 
NEU  GOALS) 

III 

y.  1 1 1 1 1* t_of_con*,y.hd. edr 1 1 1*1 , y.hd. car matnua,yi  Join 
SI  y. tl  i NIL 

#2  order *d_con*  (con*  (y.hd. car , y.hd.  edr) ) 

S3  I l*t_ord*r*d (y. t I ) 

SI  (y’ljoln 

51  length(y')  c l*ngth()oln(con*(y.hd. ear, y.hd. edr) ,y. t !)} 

52  I l«t_order*d(y’) 

|-  ordered (aortl (y’ ) )»>TRUE1 
|-  ordered  (*urtl  ( Jo  In  (eon*  (y.hd.  car,  y.hd.  edr  ),y.  1 1))) 

SIMPLIFIES  TOi 


TRUE 


y.  1 1 1 1 l*t_ot_con»,y.hd.cdri  I l*t,y.hd.carinatnua,yt  Join 

51  y. t I i Join 

52  orderad_con* (con* (y.hd. car, y.hd.cdr)) 

53  II* t .ordered (y. t I) 

SI  ly’ t Join 

51  length(y')  c length ( Jo  In (con* (y.hd.cer ,y. hd.cdr)  ,y. 1 1 ) ) 

52  I l*t_order*d(y’) 

|-  ord*r*d(»or tl (y’ ) )a>TRU£I 

ordered  (aort  1(  Jo  In  (eon*  (y.hd.  ear,  y.hd.  edr)  ,y.  1 1 ))) 
SIMPLIFIES  TOi 


TRUE 

PROOF  OF  *3  RELATIVE  TO  THE  ASSERTIONS) 


I 
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♦ 2 +4  +1  *5  +6 
UNPROVED  THEOREMS:  a2 
UNPROVED  RULESi  46  *5  44  42  tl 

UNPROVED  SYNTAX  LEMMAS:  -13  -12  -11  -H  -9  -*  -7  -6  -5  -4  -3  -2  -1 
q*d| 

prova  44; 

PROVING  44 
n. prad: natnu* 

(-  ZERO  c auc (n. prad)«>TRUE 

Induct  n.pradl 
NEU  COOLS: 
til 

n.pradinatnun* 

#1  n.pr«d  1 ZERO 
61  (n.prad* matnua 

fl  n.prad’  c n.prad 
|-  ZERO  c sue (n.prad* )«>TRUEJ 
|-  ZERO  c sue  (n.prad) -TRUE 

SlflPLIFIES  T0» 

TRUE 

[21 

n. pradi natnua 
# 1 n.prad  i sue 
61  Cn. prad* jnatnua 

fl  n.prad’  c n.prad 

|-  ZERO  c sue (n.prad* )">TRUE) 

|-  ZERO  c sue  (n.prad) «TRUE 

SIMPLIFIES  TO: 

TRUE 

PROOF  OF  .4 
UNPROVED  THEOREMS:  *2 
UNPROVED  RULES:  46  45  42  4l 

UNPROVED  SYNTAX  LEMMAS:  -13  -12  -11  -II  -«  -«  -7  -8  -5  -4  -3  -2  -1 
q«d( 

prova  46| 

PROVING  46 

p : boo  I pan , x 1 boo  I tan 

| — If  p than  x ala*  FALSE»»p  and  x 


typa  pi 
NEU  GOALS: 

III 

p : boo  I aan , x : boo  loan 
#1  p : TRUE 

|-  If  p than  x alaa  FALSE-p  and  x 
SIMPLIFIES  TO: 

TRUE 


(21 
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p i boo  I aan , x i boo  I ban 
#1  p i FALSE 

|-  If  p than  x alaa  FALSE«p  and  x 
SIMPLIFIES  TO i 


TRUE 

PROOF  OF  +6 
UNPROVED  THEOREMS!  a2 
UNPROVED  RULES!  +5  *2  +1 

UNPROVED  SYNTAX  LEHMASi  -13  -12  -11  -1»  -»  -»  -7  -6  -5  -4  -3  -2  -1 


qad| 

prova  -1| 

PROVINC  -1 
ti  Hat 

|-  drop ( I ) i llat_ol_eona 


I nduc t I I 
NEW  GOALS I 
III 

1 1 1 1st 
/ 1 I ! NIL 
<1  ll*i  Hat 
#1  I’  c I 

|-  drop(l’)  i I lat_of_conal 
|-  drop ( I ) i llat_of_cona 

SIMPLIFIES  TOi 


TRUE 

(21 

1 1 1 1st 
#1  I i cona 
<1  (I'll  la  t 
#1  I’  e I 

|-  drop(l’)  i I lat_of_eon«l 
|-  drop(l)  I llat_o*_eona 

SIMPLIFIES  TOi 


TRUE 

PROOF  OF  -1 
UNPROVED  THEOREMS!  #2 
UNPROVED  RULES!  *5  +2  *1 

UNPROVED  SYNTAX  LEMMASi  -13  -12  -11  -H  -8  -4  -7  S -S  -4  -3  -2 


qad| 

prova  -3i 
PROVING  -3 
I i cona 

| - ordarad_cona(l)  i boo loan 


I nduc  t 1 1 

NEU  COAL Si 

Cl) 

I i cona 
<1  ll*i cona 
#1  I’  c I 
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|-  ordered_cons ( I * ) t hoot tan) 

|-  ordared_cons ( I ) I boolddn 

SIMPLIFIES  TOi 

l.cdri  I lit,  l.carmatnus,  I icon* 

«1  t I ’ ■ eons 

#1  I*  c cons ( I .ear, I .edr) 

| - orderad_eons ( I ’ ) < boolean] 

| - ordered  cons  (coned,  car,  I.  edr))  i boolean 
1 COOLS  KEDRIN  TO  BE  PROVEO 

CURRENT  CORE i 

I .edr  t list,  l.carmatnua,  I icons 
tl  ( I ' i cons 

#1  I*  c cons (I. car, I. edr) 

|-  ordorsd_cons ( I ’ ) I boolean) 

|-  or dered_cone (cone (I. ear , l.cdr))  t boolean 


typo  l.cdri 
NEU  GORES i 
(11 

l.cdri 1 1st,  l.carmatnun, 1 1 cone 
#1  l.cdr  i NIL 
•I  ( I ’ i cons 

#1  I’  c consd .car,  l.cdr) 

| - ordorod_cons < I ’ > ■ boo  loan] 

|-  ordered_cons (cons ( I . car, l.cdr))  I boolean 

SIMPLIFIES  TO t 


TRUE 

(21 

l.cdri  list,  l.carmatnus,  I icons 
tl  l.cdr  i cons 
tl  tl' icons 

tl  I’  c consd  .car,  l.cdr) 

|-  or dered.cons ( I ’ ) t boolean) 

I-  ordsrod.cons (consd. car, l.cdr))  i boolean 

SIMPLIFIES  TO i 


TRUE 

PROOF  OF  -3 
UNPROVED  THEOREMS i e2 
UNPROVED  RULES i eS  *2  el 

UNPROVED  SYNTRX  LEHMRSi  -13  -12  .11  -1M  4 -7  4 4 -4  -1 
«od  | 


prove  -4 | 

PROVING  -4 
It  1 1st 

|-  ordered ( I ) i boolean 


typo  II 
NEU  CORES i 
tl) 

mist 

tl  I ■ NIL 
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|-  ordered  d)  I boolean 
SIMPLIFIES  TO) 


TRUE 

121 

li I lot 
#1  I i cons 

|-  ordorod(l)  t booloon 
SIMPLIFIES  TOi 


TRUE 

PROOF  OF  -« 

UNPROVED  THEOREMS!  #2 
UNPROVED  RULESi  *S  *2  *1 

UNPROVED  SYNTAX  LEMMAS  i -13  -12  -11  -IS  -t  -S  -7  -8  -6  -2 
qod| 

prove  -5 1 
PROVING  -S 

I ll  I l»(_0l_C0fll 

|-  I let_orderedd  I)  t booloon 


I nduc I III 
NEW  GOALSt 
Ill 

1 1 1 1 !at_of_con« 

#1  II  i NIL 

SI  II I ’ 1 1 l*t_ot_cor>* 

#1  II'  c II 

|-  I let.ordoreddl')  i boolean) 
|-  I let.orderodd  I)  i boolean 

SIMPLIFIES  TOi 


TRUE 

121 

1 1 1 I let_of_con» 

/111!  join 
SI  II  I’ 1 1 lel_ot_eone 
#1  II’  c II 

|-  I let_orderedd  I’)  I boolean) 
|-  I let.ordorodd  I)  I boolean 

SIMPLIFIES  TOi 


TRUE 

PROOF  OF  -S 
UNPROVED  THEOREMS!  e2 
UNPROVED  RULESi  *5  *2  *1 

UNPROVED  SYNTAX  LEMMAS i -13  -12  -11  -11  -f  -S  -7  -S  -2 


Red  i 

prove  -7 | 

PROVING  -7 
III  Join 

|-  aortldl)  i I let 
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Induct  length(ll)l 
NEU  GOALSi 
(11 

I It  join 

#1  length ( 1 1 ) t ZERO 
<1  lll’ijoln 

#1  length(ll’)  c length(ll) 
|-  lortim')  I lilt] 

|-  tor tl ( II)  ■ list 

SII1PI  )F  IES  TOi 


TRUE 

121 

1 1 1 Jo  In 

#1  length (II)  i tuc 
<1  (I  I * i join 

#1  lenqth(tl’)  c length(ll) 

|-  tortl ( II’)  i | l««) 

|-  tortl  (II)  I Hit 

SlftPLIFIES  TO i 

1 1. 1 It  I lit  _ot  _cont  ( I I. hd.cdri  I lit, II. hd.ctr inttnua,  111  Join 

<1  { 1 1 ’ t Jo  In 

II  length(tl’)  c length!  Jo  In  (corn  (I  I .hd.ctr , I l.hd.cdr),  1 1. 1 ID 
|-  tor t 1 ( II')  t lltt) 

|-  tor  tl  ( Jolnlcom  (I  I .hd.ctr,  I l.hd.cdr),  1 1.  ID)  I list 
1 GOALS  REHAIN  TO  BE  PROVEO 

CURRENT  GOAL i 

1 1 . 1 1 1 1 li t_oT_.com,  1 1 . hd.cdri  I lit,  1 1. hd.ctr inttnua,  I li  Join 

<1  III’: Join 

fl  length  ( 1 1 ' ) c length  ( Join  (com  (I  I .hd.ctr,  1 1 .hd.edr) , 1 1 . 1 1)) 
|-  tor  tl  ( II’)  t Met) 

|-  tortl (Joln(cone(l I. hd.ctr, I l.hd.cdr), I l.tl)>  i lilt 


type  II.  til 
NEU  GOALS i 
tl) 

1 1. 1 1 1 1 let_ot_com,  1 1 .hd.cdri  lltt,  1 1 ,hd.  car  inttnua,  I It  Join 
II  ll.tl  i NIL 
•1  (I  I’i Join 

#1  length ( It’)  c length! Jo  In (com (I  I. hd.ctr, I l.hd.cdr), 1 1. 1 1)) 
|-  tor  11(11’)  i llet) 

|-  eortl(joln(cone(lt. hd.ctr, It. hd.odr), ll.tl))  t lltt 
SlhPLIFIES  TOi 


TRUE 

t2) 

1 1 . t It  I iet_el_com,  1 1.  hd.cdri  lltt,  1 1.  hd.ctr  inttnua,  I It  Join 
#1  ll.tl  ■ Join 
«1  ( 1 1 * i Join 

#1  length(ll’)  c length  ( Jo  ln(eom  (I  I .hd.ctr , 1 1 .hd.odr) , 1 1, 1 1)) 
|-  tortl (II*)  i lltt) 

| - tor  tl ( Jo  In (com (I  I. hd.ctr, I l.hd.cdr), II.  tl))  t lltt 


SIHPLIF1ES  TOi 
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TRUE 

PROOF  OF  -7  RELATIVE  TO  THE  ASSERTIOHSi 

42  4l 

UNPROVED  THEOREHSi  *2 
UNPROVED  RULES)  45  42  4l 

UNPROVED  SYNTRX  LEHHASi  -13  -12  -11  -1«  -a  -8  -8  -2 
q«d| 

provs  -8 1 
PROVINC  -« 

1 1 1 1st 

|-  sort  (I)  i 1 1st 


typa  1 1 
NEU  COALS) 
tl) 

I) 1 1st 

fl  I > NIL 

|-  aort(l)  > Hal 

SIMPLIFIES  TO) 

TRUE 

121 

I)  llat 

#1  I > cons 
|-  aort(l)  > 1 1st 

SIMPLIFIES  TO) 

TRUE 

PROOF  OF  -8 
UNPROVED  THEOREMS)  a2 
UNPROVED  RULES)  45  *2  *1 

UNPROVED  SYNTAX  LEMMAS)  -13  -12  -11  -IS  -S  -S  -2 
M*| 

prova  -I | 

PROVINC  -S 

II) 1 latjHjeona 

|-  lanqtMl  I)  t natnua 


Induct  III 
NEU  COALS) 
tl) 

I It  I latjst  cons 
#111)  NIL 
Cl  t I l* t I lat_of_cona 
#1  II'  c II 

|-  IsnythdlM  i natnua) 
| - lanqtMII)  t natnua 

SIMPLIFIES  TO) 

TRUE 

12) 

I It  I latjaf  jeona 
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#1  II  i Join 
tl  Ill’ll  lot jsl_cono 
II  II’  e II 

|-  lanytMtl’I  t notnua] 
|-  longtMII)  i notnua 

SII1PLIF1ES  TOi 


TRUE 

PROOF  OF  -9 

UNPROVED  THE ONERS i *2 

UNPROVED  RULESt  45  *2  +1 

UNPROVED  SYNTAX  LEHtMSl  -IS  -12  -11  -It  -•  -2 


god  | 

rult  *7 
xi I lot 

|-  porooUl  lon(x,x)»>TRUE| 
♦7  ACCEPTED 


rule  +8 
xi joln,yi I lot 

II  I l»t_por«xilot  lon(x,dr-p(y)) 

| - poraxitot  lonlxortl  (x)  ,y)»TRUE| 
♦8  ACCEPTEO 


prova  o2| 

PROVING  o2 
xi I lot 

|-  porouSlt lonloort <x> ,x)»TRUE 


typo  xl 
NEW  COALS l 
111 

xi  I 111 
fl  x I NIL 

|-  porpulot lon(«oct(x),x>«TRUC 
SIRPLIFIES  TOi 

TRUE 

121 

xi 1 1st 
II  x i eono 

|-  porautot lonloort (x),x)»TRUE 
SIRPLIFIES  TOi 

TRUE 

PROOF  OF  *2  RELATIVE  TO  THE  ASSERTIONS! 

♦7  48 

UNPROVED  RULESi  48  47  46  *2  4l 

UNPROVED  SYNTAX  LEHNASi  -IS  -12  -11  -It  -t  -2 

A*d| 

provo  481 
PROVING  48 
xi Joln,yi I lot 

#1  I lot_p*rautot Ion (x, drop Cy>> 
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|-  perautatlen(sortl<x),y)»TRUE 


ru I • *9 

xi  I lat_ef_ceni,gt I lat_el_cen« 

#1  I lat_perautat len(x,y) 

|-  I lat_perautat  len  <palr_eerye(x> ,g)a>TRUE| 
♦9  ACCEPTED 


ru I • *19 
xi 1 1st 

|-  appendix, NIl)»x| 
♦19  RCCEPTEO 


rule  +11 
xi 1 1st 

|-  I lit_append(drep(x)>»X| 
♦11  RCCEPTEO 


Induct  lengtMx)  +1 
NEU  CORLSi 
(11 

xi Jeln,gi 1 1st 

#1  lengtMx)  i ZERO 

n I l»t_pernutat len(x,drep(y) ) 

91  lx’tjeln,y’illat 

#1  lengtMx’)  c lengtMx) 
f2  Uat_perautatlen(x’ ,dreptg*>) 

|-  parautatlen(aertl(x’),y’)a>TRUE) 
|-  parautat len(*ertl(x),y)»TRUE 

SIHPLIFIES  TOt 


TRUE 

(21 

xi  Jein,yi 1 1st 

/I  lengtMx)  t sue 

ti  I letjterautat  I on  (x, drop  (y>> 

91  tx’i Jeln,y’i 1 1st 

#1  lengtMx’)  c lengtMx) 

#2  t la t_parputat Ion  lx’ , drop (g’)> 

| - parautat lentaertl  (x’> ,y’)a>TRUE) 

|-  parautat lan(sortl(x) ,y)«TRUE 

SIRPUFIES  TOi 

x. 1 1 1 1 ltl_el_cens,x.hd.cdri I lit,x.hd.carinatnua,xt Jain, 91 1 lat 
#1  parau tat  Ian (appand (cent  (x.hd-car, x.hd.cdr),  I lat_append(x.  1 1)1,9) 
91  (x’ 1 Jain, 9* 1 1 lat 

#1  lengtMx’)  c leng1MJeln(cent(x.ttd.car,K.hd.cdr),x.  11)1 
#2  I let_perautatleMx’,drep(y’>> 

|-  parautat  Ian  (aertKx’)  ,y’)«>TRU£) 

| - parautat Ion (tor tl< Join (cane (x.Kd.car,x.hd.cdr),x.tl)),y) 

1 COALS  REHAIR  TO  IE  PROVEO 

CURRENT  COAL  1 

x.  1 1 1 1 lat_of_cona,x.hd.cdrt  I let,x.hd.earinatnua,xi  Jain, 91 1 lat 
t\  parautat  Ian  (appand  (canatx.hd.  car,  x.hd.edr),  I lot_pppind(x. t l>),  9) 
91  tx’ 1 Jain, 9’ 1 1 lat 

#1  langtMx’)  c lengtM  Jolntconetx.hd. ear, x.hd.edr)  ,x.  1 1>> 
n I lat_parautat lentx’ ,drep(g’>) 
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|-  porautat  Ion (sortl(x'),y’)»TRUE) 

|-  porautat lon(sortl(Joln(cons(x.hd.car,x.hd.edr),x. tl)),y> 


typo  x. t II 
NEU  GOALS i 
111 

X. t It  I Is t_o(_cons, x.hd.cdr 1 1 lst,x.hd.carinatnua,xi Joln.yi 1 1st 
#1  x.tl  i NIL 

n porautat  Ion (appand (cons (x.hd. ear, x.hd.cdr),  I lst_appand(x.  t l)),y) 
<1  tx’ i Join, y’ 1 1 1st 

#1  lanqth(x’)  c lonyth(Joln(cons  (x.hd. ear, x.hd.cdr) ,x. 1 1)) 

#2  I Is t_parautat Ion  lx* , drop (y ’ ) ) 

| - porautat  lon(sorti  (x’ ) ,y’ )»TRUE) 

|-  porautat  Ion  (sortl(  Join  (cons  (x.hd.car,x.hd.cdr),x.  t l)),y) 

SldPUFlES  TOi 


TRUE 

(21 

x.  1 1 1 1 Is  t_o(_cons, x.hd.cdr 1 1 i s t, x.hd. car inatnua,xi  jo  In,  y s 1 1 at 
#1  x.tl  i Join 

#2  porautat  Ion  (appand (cons  (x.hd. car, x.hd.cdr) , I lst_appond(x.  1 1) ) ,y) 
(1  tx*  t Join,y’ : 1 1st 

#1  lonqth(x’)  c langthl Joln(cons(x.hd. ear, x.hd.cdr) ,x. 1 1) ) 

#2  I lst_parautat lon(x’ ,drop(y’ >) 

|-  porautat  lon(sortl(x'),y’  loTRUE) 

|-  porautat  lon(sortl  ( Jo  In  (cons  (x.hd.  car,  x.hd.cdr)  ,x.  1 1))  ,y) 

SIMPLIFIES  TOt 


TRUE 

PROOF  OF  48  RELATIVE  TO  THE  flSSERTIONSi 

418  42  4l  49  4ll 

UNPROVEO  RULES i 4ll  4ll  49  47  4$  42  4l 
UNPROVEO  SYNTAX  LEHHASi  -13  -12  -11  -19  -8  -2 

qad| 

rule  412 

xi 1 1st ,yi 1 1st, zi 1 1st 
XI  porautat lon(y,i> 

#2  porautat lon(x.y) 

| - porautat  lon(x,x)a>TRUE| 

412  ACCEPTED 


rulo  413 

xt  I lst_of_cons 

|-  porautat  Ion  (1 1st  .appand (pa lr_psr9o(x)),  1 1 s t .appand  (x) ) «>TRUE  | 
413  ACCEPTEO 


prova  491 
PROVING  49 

xi I lat_of_cons,yi I Ist.of.cons 
#1  I lst_porautat lon(x,y) 

|-  I lst_parautat  I on  (pair  .sorgo <x>  ,y)»TRUE 

CURRENT  COAL  1 

111 

xi  I Ist.of.cons, yi I Ist.of.cons 
#1  1 1st .porautat lon(x,y) 

|-  I lot_porautat  lonlpalr  jsarqo(x)  ,y)>TRUE 


■ ■ _ 
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SINPLIFIES  TOi 

TRUE 

PROOF  OF  +9  RELATIVE  TO  THE  ASSERT IONSi 
♦13  +12 

UNPROVED  RULESi  +13  +12  +11  +1R  +7  +S  +2  +1 
UNPROVED  SYNTAX  LEtNIASi  -13  -12  -11  -IS  .4  -2 

ROd> 

prove  -12 | 

PROVING  -12 

I i I let_of_cone 

| - II > t _eppand ( I ) t ll«t 


Induct  II 
NEU  GOALS i 
111 

I i I lat_ol_cona 
#1  I i NIL 
<1  ( I ’ 1 1 let_ot_eona 
#1  I*  c I 

| - I let_append  < I ’ ) i llatl 
|-  I let.append ( I ) t Met 

SINPLIFIES  TOi 


TRUE 

(21 

I i I lat_of_cone 
/I  I i Join 
<1  II ’ 1 1 lat_ot_cone 
#1  I’  c I 

|-  I l*t_ppp»nd(D  i Met) 
|-  1 I a t .append ( I > i Hat 

SINPLIFIES  TOi 


TRUE 

PROOF  OF  -12 

UNPROVED  RULESi  +13  +12  +11  +11  +7  +S  +2  +1 
UNPROVED  SYNTAX  LENNASi  -13  -11  -IS  -S  -2 

qad| 

prove  -13! 

PROVING  -13 

111  I lat_o(_cone, 1 2 1 1 let_of_cona 
|-  I let  jiarnutat Ion ( 1 1, 12)  I boolean 

CURRENT  COALt 

(11 

t It  I let jetjeona,  I2<  Umtjatjeena 
|-  I la  t_permitat  Ion  ( 1 1, 12)  i boolean 

SINPLIFIES  TOi 

TRUE 

PROOF  OF  -13 

UNPROVED  RULESi  +13  +12  +11  +19  +7  +S  +2  +1 
UNPROVED  SYNTAX  LENNASi  -11  -IS  -«  -2 


A 1.3 
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proyraa  sort2| 

declare  function  aerfe_cons(llicons, I2icona)icon* 
function  polr  jxerfell  1 1 1 l«t_of_eon«)  1 1 l»t_of_eon«  ■ 
llst_of_eons  coot  II  of 
Mill  NIL 

Joint  llot_of_eono  coot  tltll)  of 
NILt  II 

Joint  Joln(aerfe_cons(hd(l  l),M(t  I C!  l))),polrjwrft(tl  It  I tl  I)))) 

THE  FOLLOUING  FUNCTIONS  ME  UNDEFINED! 
atrga_cons 
append 
parputat Ion 
I aqua  I 

THE  FOLLOUING  SYNTAX  LEIM1AS  HAVE  BEEN  GENERATED  BY  THE  PARSFRt 
1-141 

lltcont, l2tcona 
|-  marga.contdl,  12)  I const 


rula  414 

xt I lst,yi 1 1st, It  I lst_of_eons 

|-  appendix, append (y,  I Ist.appand (i) ) )>>appand (appendix, y) , I lst_append(z))| 
414  ACCEPTED 


rule  4lS 
x t cons, y t cons 

| - perautat  Ion (aerye.cona (x,y> , appendix, y))»TRUE| 
4lS  ACCEPTED 


rule  416 

X!llSt,y!llSt,U!llSt,VlllSt 
#1  perautat lonlx.y) 

#2  perautat lonlu.v) 

|-  perautat  lon(append(x,u),append(y,v)>»TRUE| 
416  ACCEPTEO 


rule  417 
xt 1 1st 

| - append(NIL,x)»x| 
417  ACCEPTED 


prove  4l3| 

PROVING  413 
xt I lst_of_cons 

|-  perautat  lenll  Ist.app and (palr_perge (xll,  llst_app and (x))»>TRUE 


Induct  xl 
NEU  GOALSt 
111 

xt  1 1st  of_cons 
#1  x t NIL 
61  lx’ 1 1 lst_ef_cons 
tl  x*  c x 

|-  perautat  lend  Is  (.append  (pa  lr_perye(x*  I),  list  .append  lx’ >)x»TRUE) 
|-  perautat  lend  la  t_append(polr_aer  fa  lx)),  I lst_append(x))«TRUE 
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SIMPLIFIES  TOi 

TRUE 

121 

x: I lat_of_cona 
fl  xi  join 
41  tx’ : I lat_of_cona 
#1  x*  c x 

|-  parautat  lonll  lat_appand(palrjaarga(x’)),  I l»t_appand(x’)  >»TRUE) 

|-  parautat  lonll  lat_appand(pair_aarga(x)),  I lat_appand(x)  (■TRUE 

SIMPLIFIES  TO i 

x.  1 1 1 I lat_of_eona,x.hd.edri I lat,x.hd.cannatnua 
<1  lx’  1 1 lat_ol_eona 

#1  x’  c Jo Inlcon* (x.hd.car, x.hd.cdr) ,x.  1 1) 

|-  parautat  lonll  lat_appand(palr_aarga(x' ) ) , I lat_appand(x’))»TRUEJ 
|-  parautat  Ion (appand (hd ( I la t_ol_con«  caaa  of  x.tl  I NILi  Joln(cona(x.hd.car, 
x.hd.cdr) ,NIL)  joint  )oln(aarga_conatcona(x.hd.car,x.hd.cdr),cona( 
x.tl . hd.car,x.  t l.hd.edr)) ,palr_aarge(x. t 1. 1 1)111, 1 la t_appand< t I (I  lat_of_cona 
caaa  of  x.tl  I NILt  Jolntconalx.hd. car, x.hd.cdr), NIL)  Joint  Join! 
aarga_cona  (cone  (x. hd. ear, x. hd. edr ) , cone (x.  1 1 .hd. ear, x.  1 1 .hd.edr) ) ,palr  jaarga 
(x.  1 1. 1 1)  >1 ) ) > , appand (cona (x. hd. car , x.hd.cdr) , I lat^appandfx. 1 1)>) 

1 GOALS  REMAIN  TO  BE  PROVED 

CURRENT  GOALt 

x . 1 1 1 1 lat_of_cona, x.hd.cdr 1 1 lat,x.hd.carinatnua 
tl  (x* t I laf_of_cona 

#1  x’  c Joln(cona(x.hd.car,x.hd.cdr),x.tl) 

|-  parautat  lonll  iat_appand(palr_aarga(x’)),  I lat_appand(x’))«>TRUE) 
l-  parautatlon(appand(t\d(llat_ot_cona  caaa  of  x.tl  I NILt  jolntconalx.hd. car, 
x.hd.cdr) ,NIL)  Joint  Joln(aargo_cona(cona(x.hd.car,x.hd.cdr),cona( 
x.  1 1 ,hd.car,x.  t l.hd.edr)) ,palr_aarga(x. t I. t l))l >,  I iat_appand(tl  (I  lat_of_cona 
caaa  of  x.tl  I NILt  Jolnlconafx.hd. car, x.hd.cdr), NIL)  Joint  Join! 
aarga_cona  (cona(x.hd.ear,x.hd.cdr)  ,coni  (x.  1 1 .hd.car.x.  1 1 .hd.edr))  ,palr_aarga 
• (x.tl.  tl))l))),appand(cona(x.  hd.car.x.  hd.edr),  I lat_appand(x.tl))> 


typa  x.tll 
NEU  GOALSt 
111 

x.  1 1 1 I lat_of_cons,x.hd.cdri  I lal , x.hd.car  tnatnua 

#1  x.tl  t NIL 
(1  lx* t I lat_of_cona 

II  x’  c Jo  In (cona (x.hd.car, x.hd.cdr)  ,x.  tl) 

|-  parautat  lon(l  lat_appand(palr_aarga(x’)),  I lat_appand(x’ ) )»TRUE) 

|-  parautat  I on  (appand  (hd(  I lat_of_cona  caaa  of  x.tl  I NILt  joln(cona(x.hd.car, 
x.hd.cdr) , NIL)  Joint  Jo  In (aarga.cona (cona (x.hd.car, x.hd.cdr), cona ( 
x.  1 1 - hd.car.x.  1 1 .hd.edr) > ,palrjaarga(x.  1 1 . 1 1))  I ) , I iat_appand(t  I (I  lat_of_cona 
caaa  of  x.tl  I NILt  Joln(cona(x.hd. car, x.hd.cdr), NIL)  joint  join! 
aarga_cona  (cona  (x.hd.car,  x.hd.cdr),  cona  (x.  1 1 .hd.car.x.  1 1 .hd.edr))  ,palr_aarga 
(x.  1 1. 1 1 > > I ))), appand (conatx. hd.car.x. hd.edr), I lat_appand(x.  1 1))) 

SIMPLIFIES  TOi 

TRUE 

12) 

x.  1 1 1 1 1 at_of_cona,x. hd.edr 1 1 1 at, x.hd.car tnatnua 
fl  x. t I t Join 
<1  lx’ 1 1 lat_of_cona 

fl  x’  c Jolntconalx.hd. ear, x.hd.cdr), x.tl) 

|-  parautat  I on  (I  lat_appond(palr_aargo(x’)),  I lat_appond(x’))»TRUE) 
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|-  perautst  Ion (append (hd< 1 1st _of_cont  cast  of  x.tl  I NILt  Joln(cons(x.hd.car, 
x.hd.cdr), NIL)  Joint  Jo  I n(perqa_cons (cons (x.hd. car, x.hd.cdr), const 
x.  1 1 . hd.cer.x.  tl.hd.cdr ))  ,palr _perqe(x.  1 1.  f I > > I ) , I lst_eppend(t  I (I  lst_of_cons 
eaoa  of  x.tl  I NILt  Joln(cons(x.hd.car,x.hd.cdr) ,N1L)  Joint  Joint 
»ergs_cons  (cons  (x.hd.  car,  x.hd.cdr),  cons  (x.tl.hd.  car,  x.  tl.hd.cdr  >),palrj»erga 
(x.tl.  tl))l))>, append (conatx.hd. car, x.hd.cdr), I lst_appond(x. 1 1 ) ) ) 

SIMPLIFIES  TOt 


TRUE 

PROOF  OF  413  RELATIVE  TO  THE  RSSERTIONSi 
♦16  414  415  47  ♦ 2 

UNPROVED  RULESt  4I6  4lS  414  412  4ll  4lS  *7  4S  42  4l 
UNPROVED  SYNTAX  LEflNASt  -14  -11  -IS  -6  -2 

qad| 

proqran  sort3| 

function  aergedlt  1 1st,  I2t  1 1st)  1 1 lat  s 
list  casa  1 1 of 
NILt  12 

const  list  caso  12  of 
NILt  II 

const  aerqe.coni d 1 , 12) 
function  parge.consdlico.ts,  l2tcons>  icons  s 

If  loqua  I (car  (ID  , car  (12) ) than  cons(car  (1 1) , Perga  (edr  ( ID , 12)) 
a I sa  cons (car ( 1 2) , per  ge (II, edr (12))) 
declare  function  suM_lsngth(lli  1 1st,  I2t  I IstJinatnup 

p 

THE  FOLLOWING  FUNCTIONS  ARE  UNDEFINED! 
sua_lsngth 
append 
parputat Ion 
I aqua  I 

THE  F0LL0UING  SYNTAX  LEffffAS  HAVE  SEEN  GENERATED  BY  THE  PARSER  1 
1—151 

lit  1 1st, I2t 1 1st 
|-  parget II, 12)  1 1 1 s 1 1 

(-16) 

lit  1 1st, I2t 1 1st 

|-  sua_leng th ( 1 1, 12)  1 natnuP) 


rule  418 
xLtcons,x2 icons 

51  ordered_eons(xl) 

52  ordered.cons (x2) 

| - ordered_cons  (Perga _con*  (xl , x2> ) «»TRUE  | 
♦18  ACCEPTED 


prova  45 1 
PROVING  45 
gt I Ist.of.eons 
fl  I Is (.ordered (g) 

|-  1 1 a t.irdered (pa lr_perge (g> )>>TRUE 


induct  g 4 I 
NEW  GOAL  S 1 
(II 

gt  1 1st  of  cons 
SI  g 1 NIL 
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12  I I a t _ordarad (y) 

<1  ty* r I I a t_o f _cona 

11  y*  c y 

12  I lat_orderad(y’ > 

|-  I lat_ordared(palr_Berqe(y’))i>TRUE) 
|-  I lat_ordered(palr_perqe(y> >»TRUE 

SIHPLIFIES  TO i 

TRUE 


y:  I iat_of_cona 

11  y i Join 

12  I l»t_ordorod(y) 

<1  [y ’ : I I s 1 _o f _cont 

11  y'  c y 

12  I lat_ordarad (y* ) 

|-  I iat_ordarad (pa Irjaarqa (y* ) )«>TRUE1 

|-  I lat_ordarad(palr_*erqa(y)>«TRUE 

SIMPLIFIES  TO: 

y. 1 1 1 I la t_of_cona, y.hd.cdr!  1 1 >t  ,y . hd.cart  natnuin 

11  ord«r«d_cont (cons (y.hd. car, y.hd. edr) ) 

12  I lat_ordarad(y. t I) 

SI  ty’ t I lat_of_cona 

11  y’  c Jo  In (cone (y.hd. cor , y.hd. edr) ,y.  t 1 ) 

12  I lat_ordarad(y’ ) 

|-  I lat_orderad<palr_liarqe<y’>>«>TRUEI 

|-  ordorod_eon*  (hd  (I  lat_o(_cona  caaa  of  y.tl  I N IL  t Joln(com(y.hd.c*r, y.hd.cdr) 
,HIL)  Joint  Jo ln(nt«rq«_con«(con«(y .hd.cPr  .y.hd.cdr)  .consty. \\  .hd.c*'-, 
y.  1 1 .hd.cdr))  .pair.Mrqoly.  1 1 . t l))l ))  #nd  I Itt.ordorod  (t  I ( llit_of_con*  caso 
of  y.tl  I NIL t Joln(con«(y.hd. car, y.hd.cdr), NIL)  Joint  Joln(iMrga_cona(cona 
(y.hd.  car,  y.hd.cdr) ,cont (y. 1 1 . hd.car,y. 1 1 .hd.edr) ) ,palr_*arqa (y. 1 1 . 1 1 ) ) I ) ) 

i corns  REnniN  to  be  proved 
CURRENT  GORlt 

y.  1 1 1 1 lat_of_cona,y. hd.edr 1 1 lat , y.hd. car inatntni 

11  ordarad.cona (cona (y.hd. car , y.hd. edr) ) 

12  llat_ordarad (y. t I ) 

81  ty’ t I lat_of_cona 

11  y*  c Jo  In (cona (y.hd. car ,y.hd.  edr)  ,y.  1 1 ) 

12  ll»t_ordarad(y' ) 

|-  I I a t_ordarad(pa  lr_*arqa  (y’ ) ) *>TRUE> 

|-  ordorad.cona (hd ( I la»_of_cona  caaa  of  y.tl  I NIL:  Joln(cona(y.hd.car,y.hd.cdr> 
.NIL)  Joint  Jo  In (aarqa _cona (cona (y.hd. ear, y.hd. edr), cona (y. tl.hd. car, 
y.  1 1 .hd.edr))  ,pa lr_parqa (y. 1 1 . t l))l ))  and  I lat_ordarad( 1 1 (I lat_of_cona  caaa 
of  y.tl  I NILt  Jo  In 'cona  (y.  hd.  car,  y.hd.  edr) , NIL)  Joint  Joln(Mrqa_cona(cona 
(y.  hd.  car,  y.hd.  edr ) , cona  (y.  1 1 .hd.car,y.  1 1 .hd.edr))  ,palr_parqa  (y.  1 1 . 1 1) ) I ) ) 


typa  y. 1 1 1 
NEU  GOALS! 

ID 

y.  1 1 1 1 lat  ol  cona, y.hd. edr 1 1 lat.y.hd.carmatmm 

11  y.tl  t NIL 

12  ordarad.cona (cona (y.hd. ear , y . hd.edr > ) 

13  I lat_ordarad(y. t I) 

SI  ty* t I lat_of_cona 

11  y’  c Joln(cona(y.hd. car, y.hd. edr), y.tl) 

12  I lat_ordarad(y' ) 

| - I let_ordorad(palrjMrqa(y’))«>TRUEl 

|-  ordorad_cona  (hd(l  lat_of_cona  caaa  of  y.tl  I NILt  Jo  In  (cona  (y.hd.  car,  y.hd.  edr) 
,NIL)  Joint  Joln(«orqo_eona(cona(y. hd. ear, y.hd. edr), cona(y. tl.hd. car, 
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y.  t I .hd.cdr) > ,palrjaarga(y.  1 1. 1 l))l ))  and  I lat_ordarad(t  I (I  lat_of_cona  cm 
of  y.tl  I NIL i Joln(cona(y.hd. car, y.hd. edr), NIL)  Joint  Jo  In (Borya _cona (cona 
(y.hd.car , y.hd.cdr)  ,cona(y. t I ,hd.car,y.  tl.hd.cdr))  ,palrjaarye(y.  t 1 . 1 1 ) > I )) 

SIMPLIFIES  TOt 


TRUE 

(21 

y.  1 1 1 1 lat_of_cona,y.hd.cdri  I ls<,y.hd.carinatnuai 
#1  y. 1 1 i Join 

#2  ordarad_cont  (cona  (y.  hd. car , y.hd. edr) ) 

#3  I iat_ordarad(y. 1 1) 

*1  ly’ t I lat_of_cona 

#1  y’  c Jo  In  (cons (y. hd. car,y . hd. edr ) ,y.  1 1 ) 

#2  I lat_ordarad(y') 

|-  I ict_orderad(palr_aerge(y’))«>TRUE) 

|-  ordarod_cona  (hd(l  la(_of_cona  caaa  of  y.tl  I NILi  Joln(cona(y.hd. car, y.hd. edr) 
, N IL ) Joint  Jo  In (aarge_cons (cona (y.hd. car, y.hd. edr), cona (y.tl.hd. car, 
y.tl  . hd.cdr) ) ,pair_narga (y.ll.fl)))))  and  I lat_ordarad(t I (I lal_of_cona  caaa 
of  y.tl  I NILi  Jo  In (cons (y. hd. car, y.hd. edr) , NIL)  Joint  joln(Barga_cone(cona 
(y.  hd.  car,  y.hd. edr ), cona (y. 1 1 . hd.cdr, y. t l.hd.cdr )), pa ir_parga(y. 1 1. 1 l))l )) 

SIMPLIFIES  TOt 


TRUE 

PROOF  OF  +S  RELATIVE  TO  THE  ASSERTIONS! 

♦ 18  *2 

UNPROVED  RULES!  418  416  4lS  ♦!«  412  4ll  418  47  *2  *1 
UNPROVED  SYNTAX  LEflflASt  -16  -15  -1*  -11  -It  -6  -2 

qad| 

prove  -6; 

PROVING  -6 
lltl  lat_of_cona 

I-  palrjuargad  I)  1 flat_of_cons 


I nduc  t III 
NEU  GOALSt 
tl) 

lltl lat_of_cons 
#1  II  t NIL 
61  [I  I ’ 1 1 lat_of_eona 
#1  II’  c II 

|-  pair  jaaryad  I ’)  1 I lat_of_cona) 
|-  palrjaargad  I)  t llet_of_cona 

SIMPLIFIES  TOt 


TRUE 

12) 

lltl lat_of_cona 
1 1 1 1 1 Join 
61  tl I* 1 1 lat_of_cona 
fl  II’  c II 

|-  palrjaerged  I’)  1 I lat_of_cona) 
|-  palr_awrga(l  I)  1 llat_of_cona 

SIMPLIFIES  TOt 


TRUE 

PROOF  OF  -8  RELATIVE  TO  THE  ASSERTIONSi 
♦2 
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UNPROVED  RULESi  *18  *16  *15  *14  *12  *11  *18  *7  *7  *1 
UNPROVED  SYNTAX  LEtltlASi  -18  -15  -14  -11  -18  -2 

qad| 

rut*  *19 

xi 1 1 s t , y t I let, xt 1 1 s t 
#1  x e y 

|-  su«_l*ngth(x,z)  c su«_lsnyth(y,z)«>TRUE| 

+19  ACCEPTED 


rut*  +28 

x: I lst,y: I 1st, it I tat 
#1  y c x 

|-  su»_l#ngth(x,y)  c su»_l*ngth<x,z)*>TRUE| 
♦28  ACCEPTED 

rut*  +21 
xi cons, y i list 
|-  suM_langth(x,y)  i suc| 

♦21  ACCEPTEO 


! 


provs  -14 | 

PROVING  -14 

llicons, 1 2 : cons 

| - Mry*_cons  ( 1 1,  12)  I cons 


Induct  sum_l*ngth(ll,  12)  I 
NEU  GOALS i 


til 

1 1 icons, I2i cons 

81  { 1 1’ icons, 12’ icons 

#1  su»_l*ng th< 1 1’ , 12’ ) c sua_l*ngth( 1 1, 12) 

|-  »*rg*_eons<ll’,  12’)  I cons) 

|-  si*rg*_eons ( 1 1, 12)  i cons 

SIMPLIFIES  TOt 

ll.cdri  list,  ll.csnnatnua,  llicons,  I2.cdn  1 1st,  I2.c»rin»lnua,  l2icons 
81  I II’ icons, 12* icons 

#1  su»_l*ngth(U’,  12’)  c sua_l*ngth(eons(ll.ear,  II. cdr),cons(l2. car,  I2.cdr)) 
|-  *arga_cons(ll’ , 12’ > i cons) 

)-  i»*rg*_eons (consul, car,  II. edr)  ,cons(l2.esr,  I2.cdr))  i cans 
1 GOALS  RENA  IN  TO  BE  PROVEO 

CURRENT  GOAL i 

ll.cdri  list,  1 1. carina tnua, llicons, I2.cdri list, I2.carin*tnua, l2tcons 
81  1 1 1 ’ : cons, 12’ icons 

#1  suis_l*ngtM  1 1’ , 12’)  c su*_l*ngtMcons(ll.car,  ll.cdr),eons(l2.car,  I2.cdr)) 
|-  a*rga_cons(ll’, 12’)  I cons) 

s>*rg*_coni (const  1 1. car,  I l.edr)  ,const!2. car,  I2.cdr))  i cons 


typs  laqual (II. car, 12. car) I 
NEU  GOALSt 
(1) 

ll.cdri  1 1st,  ll.carinatnuts,  llicons,  I2.cdri  1 1st,  I2.carinatmm,  12 icons 
#1  laqual (II. car, 12. car)  i TRUE 
81  til’ icons, 12’ icons 


I 
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SI  sua_length ( 1 1* , 12’ ) c suejsngthtconstll.car,  ll.cdr),cons(l2.e*r,  I2.cdr)) 
|-  aergs_cons ( 1 1’ , 12’ ) I eon») 

|-  nergs_cons(cons(ll.ear,  ll.cdr),eons(l2. ear,  I2.cdr))  i eon* 

SIMPLIFIES  TO) 

I l.cdri  list,  I l.eerinetnua,  I2.cdrt  I 1st,  1 2.  car  matnua 
SI  lequal  (11. car, 12. car) 

<1  til’ icons, 12’ icons 

#1  sum. length (II’,  12' > c sua_length(cons (II. car, II. edr) , const  12. ear, I2.cdr)) 
|-  aerge_cons(ll’,  12’)  i consi 
| - aerge(ll.cdr,cons(l2. car,  I2.cdr))  i list 

121 

I l.cdri  list,  ll.carinatnua, 1 1 icons, I2.cdri 1 1st,  12.  car  matnua, I2tcens 
#1  I equal (11. car, 12. car)  i FALSE 
(1  ( II’ icons, 12’ icone 

#1  sua_length( 1 1’ , 12’ ) c sue_l eng th (eons til. car , I l.edr) ,cons(l2.car, I2.cdr)) 
| - aerge_cons(ll’, 12’)  ■ cons) 

|-  merge  _cons  (const  I l.car,  ll.cdr) , const  12. car,  I2.cdr))  ■ cons 

SinPllFlES  TO i 

TRUE 

1 COALS  REMAIN  TO  BE  PROVED 
CURRENT  COAL i 

I l.cdri  list,  ll.carinatnue, 12-cdri list, I2.carinatnua 
#1  I equal (I l.car, 1 2. car) 

SI  til’ icons, 12’ icons 

SI  sun_lanqth(ll’,  12’)  c sun_length(cons(ll.car, II. edr) , const  12. car, I2.cdr)) 
|-  aerge_cons  ( 1 1 ’ , 12’)  i eons) 

| - mergetll. edr, cons(l2. car, I2.cdr))  I list 


type  I l.edr I 
NEU  COALS i 
tl) 

I l.edr  i list,  ll.carinatnua, 1 2. edr i list, 1 2. car matnua 

51  II. edr  i NIL 

52  Isqual (II. car, 12. car) 

SI  ( 1 1’ icons, 12’ icons 

SI  sua_length(ll’,  12’)  c sua_lsngth(cons(ll. car, II. edr), cons(l2. ear, I2.cdr)) 
| - aerga_cons(ll’, 12’)  ■ cons) 

|-  aergatll. edr, eons(l2. car, I2.cdr))  ■ list 

SIMPLIFIES  TOi 

TRUE 

12) 

I l.cdri  list,  ll.carinatnua, I2.cdri 1 1st, 12. car matnua 

SI  I l.edr  i cons 

12  I equal (I l.car, I 2. car) 

SI  1 1 1 ’ i cons, 12’ icons 

SI  sua.lengtht 1 1’ , 12’)  c sua.lengthtconstll. ear, II. edr), cons(l2. car, I2.cdr)) 
| - aerge.cons ( 1 1 ’ , 12’)  i cons) 

| - aerge I II. edr, const  12. car, I2.cdr))  ■ list 

SIMPLIFIES  TOi 

TRUE 

PROOF  OF  -14  RELATIVE  TO  THE  RSSERTIONSi 
*19  *21  *21 

UNPROVED  RULES!  *21  *2S  *19  *1S  *19  *15  *14  *12  *11  *19  *7  *2  *1 
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UNPROVEO  SYNTAX  LEIHMSi  -If  -IS  -11  -It  -2 
q*d| 

prove  -15| 

PROVING  -IS 
111  I lot, I2t list 

|-  Merge  HI,  121  t I lot 


typo  111 
NEU  GOALS i 
(1) 

1111101,1211101 

# 1 II  t NIL 

|-  Merge (11,  12)  i Hot 

SIltPLIFIES  TO  i 


TRUE 

121 

111  I lot, I2i I lot 

/l  II  t cone 
|-  Mergedi,  12)  I I lot 

SIltPLIFIES  TOi 


TRUE 

PROOF  OF  -IS 

UNPROVED  RULES!  *21  *2t  *18  *18  *16  *1S  *14  *12  *11  *lt  *7  *2  *1 
UNPROVED  SYNTAX  LEMURS i -18  -11  -IS  -2 

Rod | 

rule  *22 

yi I lot_ot_eono 

| - length(polr_Merge(y)>  c ouc  dengthty)  )»TRUE| 

♦22  ACCEPTEO 


prove  *1| 

PROVING  *1 
yi Join 

#1  ouc<2ER0)  c length ly) 

|-  l*ngth(polr_Mrgo(y>)  c length  (y)»TRUE 


Induct  yl 
NEU  GOALS) 

111 

yt  Join 

/I  ouc(ZERO)  c longth(y) 

SI  ly’ijoln 
#1  y*  c y 

82  ouc(ZERO)  c length(y') 

|-  length (p» I r_porg#(y’))  e lengthty’ >»TRUEI 
|-  I eng th (po lr_oorge <y ) ) c length(y)>TRUE 

SIltPLIFIES  TOi 

y.  tli  I let_of_cone,y.hd.edrillet,y.hd.carinetnMo,yt  Join 
#1  ZERO  c lengthty. tl) 
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<1  ty’:Joln 

11  y’  c Jo In (cons (y.hd. car, y.hd.cdr)  ,y.  1 1) 

12  sue (ZERO)  c lenqth(y’) 

|-  lengtMpalr  jeerge (y * ) ) e length(y’)>>TRUEl 
|-  lengthtt  I (I  lst_ol_eons  cots  of  y.tl  I NILi  Joln(cons(y.hd. cor , y.hd.cdr)  ,NIL> 
joint  join(Mrge_cons(cons(y.hd.car,y.hd.cdr),cens(y.  LI. hd. car, y.tl. hd.cdr 
> ) ,palr  jeergely.  1 1 . 1 1))  I ) ) c length(y.tl) 

I COOLS  RE HR  IN  TO  BE  PROVED 

CURRENT  COOL i 

y.  1 1 : 1 ist_of_consty.hd.cdri  1 1st, y.hd.carinatnua.yi Join 

II  ZERO  c tength(y.tl) 

SI  ty’ t Jo  In 

11  y’  c Jo  in (cons (y.hd. car ,y.hd.cdr)  ,y.  1 1 ) 

12  suc(ZERO)  c length(y’) 

|-  length (pair  jeerge  <y’  > > c length (y’ )»TRUE) 

|-  length  (t  I ( I lst_ot_cons  case  ot  y.tl  I NILt  Jo  In (cone (y.hd. ear, y.hd. edr) , NIL) 
Joint  jo  In  (■erga_cons (eons (y.hd. car, y.hd.cdr), cons (y. t l.hd.car,y. 1 1 .hd.cdr 
)) ,palrja*rge(y. 1 1. 1 1 > ) I ))  c langth(y.tl) 


type  y. 1 1 1 
NEU  COOLS t 
til 

y.  1 1 : I is t_ot_cons, y.hd.cdr 1 1 1st  ,y.hd. car tnatnuet,yi  Join 
#1  y.tl  t NIL 
12  ZERO  c length(y.tl) 

«1  ty’ijoln 

#1  y’  c Jolnlcont (y.hd. ear, y.hd.cdr), y.tl) 

12  sue (ZERO)  c length (y’) 

|-  lengthlpalrjeergety’))  c length (y’ )«>TRUE) 

|-  lengthtt  I (I  lst_ot_cons  cate  ot  y.tl  I NILt  joln(cont(y.hd. car, y.hd.cdr), NIL) 
Joint  Joln(aorge_cons(cons(y.hd.car,y.hd.cdr),cons(y. t l.hd. ear, y. tl.hd.cdr 
))  ,palrjaerge  (y.  1 1. 1 l))D)  c length(y.tl) 

SIFtPLIF IES  TOt 


TRUE 

(21 

y.  1 1 1 I lst_o(_cons,y.hd.cdri  1 1 s t, y.hd. ear tna touts, yt  join 

11  y.tl  t join 

12  ZERO  c length (y. t I ) 

SI  ty  * t Join 

11  y'  c )oin(cont (y.hd. car, y.hd.cdr) ,y.  1 1) 

12  sue (ZERO)  c length (y * > 

|-  length  (pa  Irjeerge  (y ’ ) ) c length  (y’ I. >TRUE) 

| - length! 1 1 ( I lst_of_cons  case  of  y.tl  I NILt  Joln(cons(y.hd. car, y.hd.cdr), NIL) 
Joint  Jo  I n (Perga  _cons (cons (y.hd. car, y.hd.cdr) , cons (y.tl.  ltd. car, y.tl. hd.cdr 
))  , pa  Irjeerge  <y.  1 1. 1 11)1 1)  c length(y.tl) 

SII1PLIFIES  TOt 


TRUE 

PROOF  OF  +1  RELATIVE  TO  THE  ASSERTIONS! 

422  42 

UNPROVED  RULES  i 422  421  42*  419  4lS  419  elS  414  412  ell  ell  e7  *2 
UNPROVEO  SYNTAX  LEltdASt  -1$  -11  -19  -2 

Rad  | 

prove  e2l 
PROVING  e2 
1 1 1 Join 

|-  palr_swrga(l  I)  t join 
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CURRENT  CORl i 
[1] 

I li Join 

| - po I rjsorgo (II)  I join 
SIMPLIFIES  TOi 


TRUE 

PROOF  OF  +2 

UNPROVED  RULES:  *22  +21  +28  *19  +18  +16  +15  +14  +12  +11  +1S  +7 
UNPROVED  SYNTAX  LEMURS:  -16  -11  -16  -2 


qodt 

rule  +23 

x:notnui*,y:notnuq 
XI  not  loquol(x,y) 

| - Isquol <y,x)»»TRUE| 
♦23  ACCEPTED 


rulo  +24 

n : no I nun, xl : cons , x2i cons 
/ 1 ordorod_cons(cons(n,Kl)) 

92  ordorod_cons(cons(n,x2)) 

| - loquol  (n,cor (sorgo  cons(xl,x2)))»TRUE| 
♦24  ACCEPTED 


provo  +18i 
PROVING  +16 
xl:cons,x2tcons 
#1  ordsrsd_cons(xl) 

#2  ordored_cons <x2) 

| - ordorod_cons  (Mrf o_cons  (xl , x2> ) *>TRUE 


Induct  su»_tongth(xl,x2M 
NEU  COALS: 

(11 

xl:cons,x2:cons 
#1  ordorod_cons(xl) 

#2  ordoPod_eons (x2) 

61  txl’ :cons,x2’ :eont 

#1  su»_length(xl’ ,x2’ ) c su*_longth(xl,x2> 

#2  ordered_cons(xi’) 

#3  ordsrsd_cons(x2') 

| - order ed_cons  (serge .cons  (xl * , x2 ’ ) ) •»TRUEI 
| - ordorod_cons  (serge .cons  (xl , x2)  UTRUE 

SINPLIFIES  TO: 

xl.cdri  I 1st ,xl.cer:netnus,xl:cons,x2.cdri lltt,x2.cer:netnus,K2:cons 
#1  ordor od_cons (eons (x 1 . cor , xl . edr ) ) 

#2  ordorod_cons  (cons  (x2. eor ,x2. edr ) ) 

(1  txl* :cons,x2’ :cons 

#1  sue. length (xl ' ,x2* ) c sua_longth(cons(xl.cor,xl.cdr),eons(x2.cortx2.cdr>) 
#2  ordered.cons(xl’) 

#3  ordered_cons(x2*> 

|-  ordered_cons(serge_cons(xr  ,x2')>»TRUE) 

|-  ordered.cone  (serge.cons  (cone  (xl.  cor,  xl. edr), eone(x2. cor,  x2.cdr))) 

1 COALS  REMAIN  TO  IE  PROVED 


CURRENT  COAL: 
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xl.cdr:  I It  t , xl. car :natnua,xli cons, x2. cdr  i 1 lat ,x2.c*rin*tnun,x2:cons 

11  ordorod.cons  (com  (xl.car.xl.cdr) ) 

12  order-  '_cons(cont(x2. car, x2.cdr)) 

<1  txl’ic  ,x2’icont 

11  ti  3«h(xl’,x2’)  c *uo_longtMcons(xl. car, xl.cdr), cons(x2. car, x2.cdr)) 

12  L cons(xl’) 

13  or  it  t.  ont(x2') 

|-  oi  di  o_cons(n*rg*_cons(xl’,x2’>>»TRUE) 

|-  ord*rtd_-'ons(aarg*_cons(cons(xi.car,xl.cdr) ,cons (x2. ear, x2.cdr))) 


I 


typo  loqual (xl.car,x2.car) I 
NEU  COOLS: 

(1) 

xl.cdr:  1 lst,xl.c*rinatnua,xlicons,x2.cdri  I lat,x2.earinatiHja,x2>corta 

11  loqual (xl.car, x2. car)  i TRUE 

12  ordorod.cont (cons (xl . car , xl . cdr ) > 

#3  ordarod_cons (cons  1x2. car, x2.cdr)) 

<1  txl’ icons, x2’ icon* 

#1  sun_length(xl’,x2’)  c sua_longth(cons(xl. car, xl. cdr), cons(x2. car, x2.cdr)) 
12  ordorod_cons (xl  ’ ) 

#3  ordorod_cons (x2’ ) 

|-  ordorod_con*  <m*rg*_eons  <xl’  ,x2’))»TRUEl 
| - ordor«d_cons (mor qo_cont (eona (xl.car.xl. cdr), cons(x2. car, x2.cdr))) 

SIHPL  IF  IES  TO: 

xl.cdr:  I Is t , xl . car: natrium, x2.cdr:  1 1st , x2.car:natnua 

11  loqual (xl. car, x2. car) 

12  ordorod_cons (cons (xl.car ,xl .cdr) ) 

13  ordorod_cons (cons  <x2. car, x2.cdr ) ) 

(1  txl’ i cons, x2’ icons 

11  sun_l*ngtMxl’,x2’)  c *u»_l*ngth(cons(xl. car, xl.cdr), cons(x2. car, x2.cdr)) 

12  ordorsd.cona (xl* ) 

13  ordorod_cons (x2’ ) 

| - ordarad_cons  (aorgo_cons  (xl ’ , x2’ ) ) »>TRUE1 
|-  ordortd_cons (cons (xl.car, aorgatxl. cdr, cons(x2.c*r,x2. cdr)) >) 

(21 

xl.cdr:  1 1 tt , xl . car  mat nun, xl icons, x2.cdr: I lst,x2.carinatnun,x2:cons 
II  I aqua i (xl.car, x2. car)  ■ FOLSE 
!2  ordorod_cons  (cons (xl . car, xl. cdr) ) 

13  ordsrod.cons  (cons  <x2 . car , x2 . cdr ) ) 

•1  (xl* icons, x2’ icons 

11  sua_longth(xl’,x2’)  c sua_longth(con*(xl. car, xl. cdr), cons(x2. car, x2.cdr)) 

12  ord*rad_cons(xi’) 

13  ordarad.cons (x2* ) 

|-  ord*rod_con*(n*rg*_cons(xl’  ,x2’ ) )»»TRUE) 

|-  ordorod.eons (narqo.cons (cona (xl.car, xl.cdr) , cons (x2. car, x2.cdr))) 

SIHPLIFIES  TO: 

xl.cdr i 1 1 st, xl.car i natnun.x2.cdr 1 1 1 1 1, x2. ear matnua 
#1  not  loqual  (xl.car, x2. car) 

#2  ordorod_cons  (cons  (xl . car , xl . cdr ) ) 

13  or dorad_cona (cons (x2.cdr , x2.cdr) ) 

<1  txl ’ icons, x2’ icons 

11  sun_tangth(xl’,x2’>  c aun_l*ngth (constxl. ear, xl. cdr), cons(x2. car, x2.cdr)) 

12  ordorsd.cons (xl* ) 

13  ordorad_cont(x2’) 

ordorod_cons (sorgo _cons  (xl*  ,x2’))»TRUE) 

|-  It  loqual  (x2. ear, card  1st  case  of  x2.cdr  I NILi  con*  (xl.car,  xl.cdr)  const 
sorgo  _cons(eons(xl.  car,  xl.  cdr  ),eons(x2.  cdr.  car,  x2.  cdr.  cdr))l))  than 
ordorod_con* (cdr (sorga_cons (cons (xl.car , xl.cdr) , eons (x2.ear,x2.edr) )) ) also 
FOLSE 


1 
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2 COALS  REMAIN  TO  BE  PROVED 
CURRENT  GOAL. 

xl.cdrt  1 1st  ,xl.cannatnua,x2.cdri  I Ist,x2.carinatnua 
fl  laqual (xl.car,x2.car) 
f2  ordarad_cons  (cons (xl . car , xl . cdr) ) 

13  ordsrsd_cons (cons  (x2. car,x2. cdr) > 

•1  txl* icons, x2’ icons 

fl  sun_lsngth(xl’,x2’)  c sua_lanqth(cons(xl. car, xl. cdr), eons(x2. car, x2.cdr)) 
f2  ordarad_cona(xl’> 

13  ordarsd_cons(x2’> 

| - ordarad_cons  <aarga_cons  (xl  ’ , x2 ’ ) ) »TRUE) 

| - or  dor  ad_cons  (cons  (xl . ear , aarqa  (xl . cdr , cons  (x2.  car , x2 . cdr) ) ) ) 


typo  xl.cdrt 
NEU  COALS i 
til 

xl.cdr:  I Ist,xl.carinatnua,x2.cdn I ist,x2.earinatnuB 

fl  xl.cdr  i NIL 

f2  I aqua  I (xl.car,x2.car) 

f3  ordarad.cons (cons (xl . car , xl . cdr) > 

f*  ordarad_cons (eons (x2 . car , x2.cdr) ) 

41  txl’ icons, x2’ icons 

fl  sun_lsngth(xl’ ,x2’)  c sua_lsngth(eons(xl. car, xl. cdr), cons(x2. car, x2.cdr)) 
f2  ordarad_cons (xl* > 
f3  ordarad_cons (x2’ ) 

| - ordarad.cons  <aarqa_cons  (xl  ’ , x2’ ) )»TRUE) 

| - pr darsd_cons (cons (xl . car , Bargs (xl . cdr , cons (x2 . car , x2 . cdr) > ) ) 

SIMPLIFIES  TOi 

TRUE 


xl.cdrt  I ist,xl.carinatnua,x2.cdri  I 1st ,x2.carinatnua 
fl  xl.cdr  i cons 
f2  laqual (xl. ear, x2. car) 
f3  ordarad_cons  (cons  (xl . car , xl . cdr ) ) 
f « ordarad_cons  (cons (x2 . car , x2 . cdr ) ) 

41  txl’ icons, x2’ icons 

fl  sua_langth(xl’,x2’)  c sua_lanqth(cons(xl. car, xl. cdr), cons(x2. car, x2.cdr)) 
f2  ordarad_cons (xl* ) 
f3  ordorad_cons(x2’> 

|-  ordsrad_cons  (aarqa_eons  (xl ' , x2’ ) ) »TRUE) 

| - ordarad.cons  (cons  (xl . car , Bargs  (xl . cdr , eons  (x2.  ear , x2.  cdr) ) ) ) 

SIMPLIFIES  TOi 

TRUE 

1 COALS  REMAIN  TO  BE  PROVED 
CURRENT  COAL i 

xl.cdri  1 1st  ,xl.carinatnua,x2.cdri  I Ist,x2.carinatnua 
fl  not  laqual (xl. ear, x2. car) 
tl  ordsrad.cons (cons  (xl . car , xl . cdr > ) 
f3  ordsrad_cona  (cons (x2. car , x2.cdr) ) 

41  txl’ icons, x2’ icons 

fl  suB_langth(xl’,x2’>  c sua_langth(cons(xl. car, xl.cdr) , eons (x2. car, x2.cdr)) 
f2  ordarad_cons(xi’) 
f3  ordarad_cons (x2‘ ) 

| - ordarad.cons  (Borga.cons  (xl  ’ , x2’ ) ) »>TRUC) 

| - If  laqual  (x2. car, card  1st  casa  of  x2.cdr  I NILi  conslxl. car, xl.cdr)  const 
narga_cons(cons(xl.car,xl.cdr),cens(x2.edr.ear,x2.cdr.edr)>l))  than 
ordorad.cons  (cdr  (nsrgn_eona  (cans  (xl.oar,xl.cdr),eona(x2.car,x2.edr)>)>  a Isa 


Page  110 


A 1.3 


Example  3:  Total  Correctness  of  Sorting  by  Merging 


Page  111 


FALSE 


type  x2.cdr I 
NED  COALS i 
til 

xl.cdrt  I I t t , xl.cari natnue, x2. cdri  I I«t,x2.carinatnua 

#1  x2.cdr  i NIL 

#2  not  laqual (xl. car, x2. car) 

#3  ordorad_cont (con*(xl.car,xl.cdr>) 

#4  ordtrid  com  (con*  <x2 . car , x2.cdr ) ) 

<1  l*r  icon*,x2’  icon* 

II  »ua_leng1h(xl’ ,x2’ > c *ua_length  (con*  (xl  .car, xl. edr) , con*  (x2. car, x2.cdr) ) 
#2  ordered.con* (xl* > 

#3  order *d_con* (x2 ’ ) 

| - ord*r*d_cons  (aarge.con*  (xl ' , x2  ’ > > « >TRUE) 

|-  If  laqual  (x2. car, card  lit  cat*  of  x2.cdr  I NILi  con«(xl.car,xl.cdr)  conn 
Barge _cona  (con*  (xl . car , xl . edr ) , con*  (x2.cdr . ear , x2 . edr . edr ) ) I ) ) than 
ordered_con*(cdr(Berge_con*(cont(xl. ear, xl. edr), cone (x2. ear, x2.cdr))))  alt* 
FALSE 

SinPLIFIES  TO i 


TRUE 

12) 

xl.cdri  I l*;,xl.earin*tnuB,x2.edri  I I*t,x2.earinatnua 
fl  x2.cdr  i eon* 

12  not  laqual  (xl. car, x2. car) 

#3  or dar ad_conc (con* (x 1 . car , x 1 . edr  > ) 
ft  ord*r*d_con*  (con*  (x2 . car , x2 . edr ) ) 

<1  Ixl’ icon*, x2’ icon* 

#1  *ua_length(xl’ ,x2’ > c tuB_length (con* (xl. ear, xl.cdr>,con*(x2. car, x2.cdr)) 
#2  ord*r*d_con»(xl’) 

#3  ord*r*d_cont (x2 ’ ) 

| - ord*r*d_conx(a*rg*_conx(xl’  ,x2'))»TRUE) 

|-  If  laqual  (x2. car, card  l*t  cata  of  x2.cdr  I NILi  con*(xl.car,xl.cdr)  contt 
■or go _con* (eon* (xl.car,xl.cdr), con* (x2 . edr . ear , x2. edr . edr > ) I ) > than 
ordered_eon* (edr (Barge _con* (con* (xl . car , xl . edr) , con* (x2. car , x2 . edr) ) > ) alia 
FALSE 

SIfIPLIFIES  TOi 


TRUE 

PROOF  OF  *18  RELATIVE  TO  THE  ASSERTIONS! 

*23  *28  *24  *19  *21 

UNPROVED  RULES!  *24  *23  *22  *21  *28  *19  *16  *1S  *14  *12  *11  *19  *7 
UNPROVED  SYNTAX  LEHHASi  -16  -11  -19  -2 

tied  | 

prove  *22) 

PR0V1NC  *22 
yi  I lat_of_con* 

| - longth(palr_Barga(y)>  c *ucdangth(y>)»TRUE 


Induct  yl 
NEH  COALSi 
111 

yi  I l*t_of_con* 

#1  y i NIL 

61  ty’i I l*t_ef_cona 
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#1  y’  c y 

|-  lanythlpalr jnrya(y'))  c eucOanyth(y’))«>TRUE] 

|-  lenyth(palr_paryo(y)>  c aue(lenyth(y))*TRUE 

SIHPLIFIES  TOi 

TRUE 

12) 

yi  1 la t_ol_cona 
#1  y i Join 
SI  ty’ i I lat_ol_eona 
#1  y*  c y 

|-  lanyth(pelrjaerya(y’))  c euc(lenyth(y')>a>TRUEI 
|-  lenyth(palrjMrye(y)>  c cue ( I anyth (y) ) aTRUE 

S IHPL IF IES  TOt 

y.  1 1 1 1 I a t _o  f _cone , y . hd . edr . I lot  , y.hd.  car  inatnuai 
<1  ty’  i llat_ot_cona 

#1  y*  c Jolnlconaly.hd. car, y.hd. edr)  ,y.  1 1) 

|-  lonythtpalrjaeryeCy’))  c BUc(lenyth(y’))a>TRUE) 

|-  lonythltl  (I lat_ol_eona  caia  el  y.ll  I NILi  Jolnlconaly.hd. ear, y.hd. edr), NIL) 
Joint  Jo  In  (ooryo_eona (cone (y.hd. car, y.hd. edr), eonaly.tl.hd.  ear,  y.  tl.hd.edr 
) ) , pair  jaorya (y. 1 1 . 1 1 ) ) I ) ) c sue  < lanythly.  1 1) ) 

1 COALS  RE RAIN  TO  BE  PROVED 

CURRENT  COAL ■ 

y.  1 1 1 1 lat_ot_eona,y.hd.cdrt I lit , y.hd. carmatnuo 
SI  ty*  1 1 lat_ol_cona 

fl  y*  c Jolnlconaly.hd. car, y.hd. edr)  ,y.  1 1) 

|-  lanythlpalrjaeryely’))  c iuc(lanyth(y’))a>TRUE) 

I-  lonythltl  (I  lat_ef_eona  eaaa  at  y.tl  I NILi  Jolnlconaly.hd. ear, y.hd. edr), NIL) 
Joint  Jo  In  (Baryo.eone  leone  (y.hd. car, y.hd.  edr), eonely. tl.M. ear, y.tl. hd.edr 
>),palr_porya(y.  tl.  tl))D)  c iiicdanytMy.  1 1) ) 


typo  y.tll 
NCU  COALS. 

Ill 

y.  t It  I lit_ot_coni,  y.hd.cdr  1 I let, y.hd. ear inatnuo 
#1  y.tl  i NIL 
B1  ty* t I lat_ol_eona 

#1  y’  c Jo  In (cone (y. hd. ear, y. hd. edr),  y.  tl) 

|-  lenyth(palr_parya(y’>)  e auedanyth(y'))a>TRUE) 

lonythtt I d lat_of_eona  eaaa  at  y.tl  I NILi  Jolnleonely.hd.ear, y.hd. edr), NIL) 
Joint  Jo  In  (■aryo_eona(eone  (y.hd.  ear,  y.hd.  edr ),  eena  (y.  tl.  hd.  ear, y.tl.  hd.edr 
)),palr_por(o(y.tl.tl))l)>  c eucdonythly.tl)) 

SIltRLIFIES  TO. 

TRUE 
121 

y.  t It  I la t_ot_cona, y.hd.cdr 1 1 lat ,y.hd.carinatnuo 
#1  y.tl  t Join 
B1  ty’illet.et.eona 

fl  y*  c jolnlconaly.hd. ear, y.hd. edr), y.tl) 

|-  lanyth(palr_parya(y’))  c aue(lenyth(y’))a>TRUE) 

I-  I anyth  It  I ( I lat_of_cone  eaaa  ol  y.tl  I NILi  Joln(eona(y.hd. 

Joint  Jo  In  (■arya_eone(eana  (y.hd.  ear, y.hd.  edr), eona  (y.tl 

) ) ,palr_paryo(y.  1 1 . t l))l ) ) c aucdanythfy.  1 1)) 

SIltRLIFIES  TOt 
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TRUE 

PROOF  OF  +22 

UNPROVED  RULESi  +24  *23  *21  *2*  *19  *16  *15  *14  412  4ll  *14  *7 
UNPROVEO  SYNTAX  LENNASi  -18  -11  -18  -2 

A«A| 

provo  *24 | 

PROVINC  424 

n t na  t nu« , x 1 : cons , x2 1 cons 

11  ordorsd_cons(con*(n,xl)> 

12  ordorad_cons(cons(n,x2)) 

|-  I sous  t (n,  car  laoryo.cons Ixl,x2) ) )>>TRUE 


typo  loqual (car (xl) ,car (x2) ) I 
NEW  CORLSi 
(1) 

n I na  t nuo , x 1 1 cons , x2 1 cons 
fl  loqual (car (xl) ,car(x2>)  i TRUE 

12  ordarsd_cons(cons(n,xl)) 

13  ordorad_cons(cons(n,x2)> 

|-  loqual  In, car (porqs.cors (xltx2) ))>TRUE 

SinPLIFIES  TOi 

TRUE 

(21 

n:natnua,xlicons,x2icons 
/I  loqual (car (xll, car  1x21)  i FALSE 

12  ordsrsd_eons(cons(n,xl>) 

13  ordsrsd_cons(cons(n,x2>> 

|-  loqual  (n,car  (oargo_cons  (x],x2) ) laTRUE 

SINPLIFIES  TOi 

TRUE 

PROOF  OF  «24 

UNPROVEO  RULESi  423  421  4 28  419  416  415  414  412  4ll  418  *7 
UNPROVEO  SYNTAX  LENNASi  -16  -11  -18  -2 

Rod  | 

prograo  poro2| 

fund  Ion  appondllli  1 1st,  I2i  1 1st)  i lists 
1 1st  cass  II  at 
NILi  12 

const  constcar  1 1 1) .appond (cdr ( 1 1) , 12)1 

m 

THE  FOLLOUINC  FUNf  lONS  ARE  UNOEFINEOi 
suo_length 
psroutat Ion 
I aqua  I 

rulo  425 

ninatnuo.xi  I lst,yi 1 1st 
#1  poroutat lonlx.y) 

( - poroutat I on (cons  In, x) , cons  In, y)  l.xTRUE ; 

425  ACCEPTEO 


rulo  426 

ainatnuo.ninatnua, It  I Ist.xi I lst,yi  1 1st 

|-  poroutat  I on  (cons  Ip,  1 1 , cons  In, append  lx ,cono(o,y) ) 1 loxporoutat  lent  I ,cons  In 
, appendix, y)))) 
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i 


V 
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♦26  RCCEPTED 


prove  +15! 

PROVING  415 
x i cons, y icon* 

|-  permute t lon(merge_cons(x,y) , append  (x,y))»TRUE 

CURRENT  COM.  ■ 

til 

xicons,yicons 

|-  permute)  lon(nerge_cons  (x,y> , append (x,y)  I.TRUE 
SItIPlIFIES  TO: 

x.cdr:  I Is  t , x . car : natnum,  x : eons, y.cdr:  I lst,y.car:natnus,yicons 

| - permute t Ion  (merge _cons  (eonetx.  car,  x.cdr) , eons  ty.  car, y.cdr) ) , cone  tx.  car, append 
tx . cdr , cons (y. car , y. cdr) )> ) 

1 COOLS  RE  MR  I M TO  BE  PROVED 

CURRENT  GORl i 

x.cdr:  1 1 s t , x. car :natnum,x:cons,y. cdr : I 1st ,y. can natnum, yicons 
| - permutation (merge_cons (cons (x . car , x . cdr > , cons (y. car, y.cdr)), cons (x . car , append 
(x.cdr, cons(y. car, y. cdr) >)) 


Induct  sum_l anyth (cons (x. ear, x.cdr), cons (y. car, y.cdr)) I 

NEU  GOALS: 

til 

x.cdr:  I 1st, x. car :natnum,x: cons, y.cdr:  I lst,y.car:natnue,y:eons 
<1  [x.cdr’ : 1 1 s t,x. ear ’ : natnum, x’ icons, y.cdr’ 1 1 let.y.car’ i natnum, y’ icons 

#1  su*_lenyth(cons(x. ear’ , x.cdr’ ),eons(y. car’ , y.cdr’))  c eum_  I anyth  (cons  ( 
x.  car ,x. cdr) , eons (y. car, y.cdr) ) 

|-  permutat  Ion  (merge  _cons  (cons  (x.  ear' , x.cdr’ ),  cons  (y.  car* , y.cdr ')),  cone  ( 
x.cdr’ , append (x. cdr ’ , cons  (y.car’ , y.cdr’) )) )»>TRUE) 

|-  permutat  Ion  (merge.cons  (cons  (x.  ear , x.cdr),  cone  (y.car,  y.cdr) ) ,cons(x.  ear  .append 
(x.cdr, cons(y. car, y.cdr)))) 

SlflPLIFIES  TO: 

x.cdr:  1 1st, x. car: natnum, y.cdr: t lst,y.car:natnum 

<1  [x.cdr’ t 1 1st  ,x.car*  matnum,x’  icons.y .cdr’ : 1 1st, y.car’  :natnum,y'  icons 

#1  sum_lenyth(cons(x. ear’, x. cdr’), consty. car’, y.cdr’))  c sum_lsny th (cons ( 
x . car , x . cdr ) , cons (y . car , y.cdr)) 

|-  permutat I on (merge_cons (cons (x.cer* , x.cdr’ ),eons (y.car ’, y.cdr *)),cons( 
x.car’ , append (x. cdr ’, cons (y.car’ ,y.edr’))))«>TRUEJ 
| - permutation  (merge _cons  (cons  (x . car , x . cdr ) , cons  (y . car , y . cdr) ) , cons  (x.car,  append 
(x.cdr,cons(y.car,y.cdr)))) 

1 GOALS  REHRIN  TO  BE  PROVED 

CURRENT  COAL: 

x.cdr:  1 1st, x.car:natnum, y.cdr: I Ist.y.carinatnum 

*1  [x.cdr '1 1 1st,  x.car’ :natnum,x’ icons, y.cdr' 1 1 1st, y.car' : natnum, y' icons 

#1  sum_length(cons(x. car’, x.cdr’), consty. car’, y.cdr’))  c sum_ I anyth (const 
x.  car, X. cdr ) , eons (y.car, y.cdr)) 

|-  permutat  Ion  (merge  ..eons  (eons  (x.car’ , x.cdr  ’)  ,eons  (y.car’  ,y.cdr’)) , const 
x.car’  .append (x.cdr’ , cons (y.ear’,y.edr'))))»>TRUEJ 
|-  permutat  lon(merye_eone  (eonetx.  ear,  x.cdr),  cone  (y.car,  y.cdr)),  eons  (x.car,  append 
(x.cdr, cons (y.car,y.cdr)))) 


type  lequal  (x.car, y.car) I 
NEU  GOALS ■ 
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ill 

x.  c dr  j I ist , x.car ;nat nun, y.cdr:  I it t,y. carina tnun 
#1  Itqual  (x.car , y.car)  : TRUE 

SI  lx.cdr*  i 1 1st, x.car’  inatnuni,x*  i com, y.cdr * t 1 Ist, y.car*  tnatnun,y*  icont 

#1  *un_lonyth(con*(x. car*, x. cdr*), con*(y. car', y.cdr*))  c *un_longth (cons ( 
x.car, x.cdr) , con*  (y.car, y.cdr) ) 

J - porno  t a t i on  (nor go_cons  (corn  (x . car  ' , x . cdr  * ) , con*  (y . car ' , y . cdr  * ) ) , cont  ( 
x.car* , appond (x.cdr* , con* (y. car*  ,y.cdr* ) ) ) )«>TRUE) 

| - pornutat  ion  (norgo_con«  (con*  (x.car , x.cdr) , eon*  (y. car, y.cdr) ) ,con*  (x.car, appond 
( x . cdr , con*  (y . car , y . cdr ) > ) ) 

SIMPLIFIES  TO: 

x.cdrt  I l*t,x.car:natnum,y.cdr:  I l*t,y.carinatnun 
#1  loqual  (x.car ,y. car) 

SI  lx. cdr*  i 1 1st, x.car* : na t nun, x* i cont, y. cdr* 1 1 Ist, y.car* inatnun,y*  tcon* 

91  sun.longth  (cons  (x.car  *,  x.cdr  ’)  ,cont  (y.  car  * ,y.  cdr  *) ) c *un_longth(con*( 
x.car, x.cdr) , cons (y. car ,y. cdr ) ) 

|-  pornutat  ion  (morgo.cont  (con* (x.car* , x.cdr* ) ,con*  (y.car ’ , y.cdr* ) ) ,cons ( 
x.car* , appond  (x.cdr* , cont  (y.car* , y.cdr* ))) )«>TRUE) 

| - por  nu  t a t i on  (cons  (x . car , nor  go  (x . cdr , con*  (y . car , y . cdr) ) ) , cona  (x « car , appond  ( 
x.cdr, cons  (y.car , y.cdr) )) ) 

(2) 

x.cdr:  I ist, x.car matnun, y.cdr : 1 1st ,y.car:natnun 
#1  loqual (x.car , y.car)  : FALSE 

SI  lx.  cdr  * i I ist , x.car  * inatnun,  x*  icon*,  y.cdr  * 1 1 1st,  y.car*  tnatnun,y*  icon* 

#1  sun_longth  (con*  (x.car* , x.cdr’ ) ,cons(y.  car  *,  y.cdr* ) ) c *un_l  anyth  (cont  ( 
x.car, x.cdr) , con*  (y.car, y.cdr)) 

|-  pornutat  ion (norgo_con* (con* (x.car* , x.cdr* ) ,cont (y.car* , y.cdr* ) I ,con* ( 
x.car’ , appond  (x.cdr* , cont  (y.car*  ,y.cdr*))))«>TRUE) 

| - pornutat  Ion (morgo.cont  (cont  (x. car, x. cdr ) , con* (y.car,y. cdr)) , con* (x.car, append 
(x.cdr , cons  (y. car ,y . cdr ) ) ) ) 

SIMPLIFIES  TO: 

x.cdri  I ist, x.carinatnun, y.cdr:  1 1 * t ,y.  car  tnatnun 
91  not  loqual  (x.car, y.car) 

SI  lx.cdr*:  1 1st,  x.car*  inatnun,  x*  icon*,  y.cdr*  1 1 ist,  y.car*  inatnun,  y*  icon* 

91  sun.longth (cons (x.  car*  ,x.  cdr*),  con*(y.  car*,  y.cdr*))  c tun.l  anyth  (cont  ( 
x.car , x.cdr) , cons (y. car, y. cdr ) ) 

| - pornutat  Ion  (norgo.con*  (con*  (x.  car  * , x.cdr* ) ,con*  (y.car' , y.cdr*))  ,con*  ( 
x.car* , appond  (x.  cdr  *,  cont  (y.car*  ,y.cdr*))))«>TRUEJ 
J-  pornutat  ion(l  1st  cato  of  y.cdr  I NIL:  cons (x. car, x.cdr)  const  norgo_cons( 
con*  (x.car , x.cdr ) ,cons  (y.cdr  .car,  y.cdr  .cdr) ) I , con*  (x.car,  appond  (x.cdr,  y.cdr) 
)) 

2 GORLS  REMRIN  TO  BE  PROVED 
CURRENT  GORLt 

x.cdri  I it  t , x.car  inatnun,  y.cdr  1 1 1st,  y.car  inatnun 
91  loqual  (x.car, y.car) 

Si  lx.cdr*  i 1 1 * t,  x.  car  * inatnun,  x*  t cont,  y.cdr*  1 1 1st,  y.car*  :natnun,y*  icon* 

#1  *un_longth(con*(x. car*, x. cdr’), con*(y. car', y.cdr*))  c sun_l  anyth  (cont  ( 
x.car, x.cdr) , con* (y.car, y.cdr)) 

|-  pornutat  Ion (norgo.cont  (con* (x.csr* , x.cdr* ) , con* (y.car* , y.cdr *)) ,cont( 
x.car* , appond  (x.cdr*  ,con*  (y.car*  ,y.cdr* ) ) ) )*>TRUE) 

| - pornutat  ion  (cont  (x.car , nor  go  (x.cdr,  con*  (y.car , y.cdr) )) , con*  (x.  car,  appond  ( 
x.cdr,con*(y.ear,y.cdr)))) 


typo  x.cdri 
NEU  GORLS t 
11) 

x.cdri  I lot,  x.car  tnatnun,  y.cdr  1 1 1st,  y.car  inatnun 
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#1  x.cdr  l NIL 
#2  laqual (x.car, y.car) 

<1  (x.cdr' 1 1 lit , x. ear' inatnua, x’ icom,y.cdr’ 1 1 lit,y.car’tnatnua,y’ icons 

t\  iua_l anyth (eon* (x.car’ , x.cdr’ ) ,cons (y.car’ ,y.edr’ ) ) c turn _l any th(eon>( 
x.  car .x.cdr) , cons (y.car, y.edr)) 

|-  parautat Ion <aarya_cons (coni (x.car’ , x.cdr’ ) , coni (y.car’ ,y.edr’ )) ,com ( 
x.car'  .append (x.cdr’ , cons  (y.car*  ,y.edr’))))»>TRU£] 

| - parau  t a 1 1 on  (com  (x.car,  aarga  (x.cdr,  coni  (y.  car , y . cdr ) > ) , coni  (x . car , appand  ( 
x.cdr,  com  (y.car, y.edr)))) 

SIMPLIFIES  TO i 

TRUE 

(21 

x.cdr i 1 1 1 1 , x.car :natnua,y.cdr : I lit .y.carinatnua 
#1  x.cdr  i com 
#2  laqua  I (x. car ,y. car) 

SI  (x.cdr  ’ 1 1 lit , x. car’ inatnua, x’ t coni, y. cdr ’ 1 1 lit , y.car’ tnatnua,y’ iconi 

Ml  sum_langth  (com  (x.car* , x.cdr* ) ,com  (y.car*  ,y.cdr' ) ) c iua_lanyth  (com  ( 
x. car ,x. cdr) , cons (y . car ,y . cdr ) ) 

|-  peraut a t Ion  (aerga.cons  (com  (x.car* , x.cdr ’ ) ,coni  (y.car*  ,y.cdr* ) ) , com  ( 
x.car’ , appand  (x.cdr'  ,eom  (y.car’  ,y.  cdr’ ) ) ) ) *>TRUE) 

| - parau  ta  t Ion  (com  (x.car  ,aarya  (x.cdr, com  (y. car, y. cdr) ) ) , com  (x.car, appand ( 
x.cdr,  com  (y . car , y . cdr ) ) ) ) 

SIMPLIFIES  TOi 

TRUE 

1 COOLS  REMAIN  TO  BE  PROVED 
CURRENT  GOflLt 

x.cdr:  I lit ,x. car inatnua, y. cdr : I lit,y.car:natnua 
ft  not  laqual (x.car, y.car) 

SI  lx.  cdr  ’ i I lit  ,x. car’  inatnua,  x’ : com, y. cdr’ 1 1 lit , y.car’  :natnua,y*  icon! 

tl  iua_lanqth(eom  (x.car’ , x.cdr’ ) ,eom(y. ear' ,y.edr’ >)  c iua_lanqth (com  ( 
x.  car , x.  cdr) , com  (y . car , y . cdr ) ) 

|-  parautat  Ion  (aarya_cona  (com  (x.car’ , x.cdr’  > ,com  (y.car’ ,y  cdr’ ) ) , com  ( 
x . car  ’ .appand (x.cdr ’ .corn (y.car’ ,y. cdr’ ) ) ) )»>TRUE) 

|-  parau  tat  Ion  ( I lit  caia  of  y.edr  I NIL:  comix. car, x.cdr)  const  aarya_com( 
com  (x.car , x.cdr)  ,cona  (y.edr  .car , y.edr  .cdr) ) I , com  (x.car,  appand  (x.cdr,  y.edr) 
)) 


typa  y.edr I 
NEU  COALS: 

(1) 

x . cdr  i I lit , x.  car  inatnua.y.  cdr : I lit  .y.carinatnua 

#1  y.edr  t NIL 

#2  not  laqua  I (x.car , y.car) 

SI  tx.  cdr  ’ : I li  t , x.car  ’ inatnua,  x’  icom, y.edr’  1 1 lit , y.car’  matnua,y’  iconi 

#1  iua_lanyth  (com (x.car' ,x. cdr’ ) ,com (y.car*  ,y. cdr’ ) ) c sua_langth  (com  ( 
x.car, x.cdr) , eons (y.car, y.edr)) 

| - parautat  I on  ( aarga _cons  (com  (x . ear  ’ , x . cdr  ’ > , com  (y.  car’ , y . cdr  ’ ) ) , com  ( 
x.car’  .appand (x.cdr’ ,eom (y.car ’ , y.edr’ ))) )«>TRUE) 

| - parautat  lonll  lit  caia  of  y.edr  I NILi  eomlx. car, x.cdr)  conn  aarga_cona( 
com  (x.car,  x.cdr) , conaly.cdr.  car,  y.edr.  cdr)  >1 , com  (x.car,  appand  (x.cdr,  y.edr) 

)) 

SIMPLIFIES  TO i 

TRUE 

(2) 

x.edri  I lat,x.carinatnua,y,cdri I lit, y.carinatnua 


L 
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#1  y.cdr  i cons 

#2  not  lequal (x. car, y. car) 

<1  lx . cdr ' 1 1 lit.x.car’  matnua.x’ t eons,  y.cdr*  i I Ict.y.car’  inatnua,y’  icona 

Ml  luiOangthlcomlx. car’, x. cdr’), conily. car', y.cdr’))  c eue_length (cone < 
x . car , x . cdr  > , com  (y . car , y . cdr ) ) 

| - parou  1 a 1 1 on  (Mr  ge.cone  (coni  (x . car  ’ , x . cdr  ’ ) , coni  (y . car  ’ , y . cdr  ’ ) ) , coni  ( 
x. car ’ , append (x. cdr’ , coni (y. car y.cdr’ ) >))»TRUE) 

|-  pereutat lonll lit  can  o(  y.cdr  I MIL « coni (x. car, x. cdr)  conn  Mrga_coni( 
com  (x.  car,  x.  cdr),  coni  (y.cdr.  ear,  y.cdr.  cdr) ) I , com  (x.  car,  append  (x.  cdr,  y.cdr) 


SIKPLIFIES  TO: 


TRUE 

PROOF  OF  +15  RELATIVE  TO  THE  ASSERTIONS: 

♦ 10  +20  +17  +7  +25  +19  +26  +21 

UNPROVED  RULES:  +26  +2S  +23  +21  +20  +19  +17  +16  +1*  +12  +11  *10  +7 
UNPROVEO  SYNTAX  LERKAS:  -16  -11  -10  -2 


qad; 

prove  +10) 

PROVING  +10 
x: I (it 

|-  appendix, NID.xx 


induct  xl 
NEU  GOALS: 

ID 

x: I lit 
/I  x : NIL 
01  (x* : I lit 
#1  x'  c x 

|-  appendix’, NILUx*  •>  TRUE) 
| - appendix, NIL). x 

SIKPLIFIES  TO: 


TRUE 

(21 

x:  I lit 
#1  x : com 
Cl  lx’: lilt 
#1  x’  C X 

|-  appendix’ ,NIL).x’  i»  TRUE) 
|-  appendix, NIL). x 

SIKPLIFIES  TO: 


TRUE 

PROOF  OF  +10  RELATIVE  TO  THE  ASSERTIONS: 

♦ 17 

UNPROVED  RULES:  +26  +25  +23  +21  ♦ 20  +19  +17  +16  +1«  +12  +11  +7 
UNPROVEO  SYNTAX  LERKAS:  -16  -11  -10  -2 

qedf 

prove  +14 | 

PROVING  +14 

xi  I lit,y:  I lit, zi  1 1 • t _o I _com 

|-  appendix, appendly,  I lit_append(z>))»append (appendix, y>,  I la t .append (i) ) 


Induct  xl 
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NEU  GOALS! 

Ill 

xi 1 1*1, yi I lslfi! 1 1st  of.cons 
# 1 x i NIL 

<1  tx’i  I Iwt.y’i I 1 1 * t _o  t _con* 

#1  x’  c x 

|-  append (s’ , append (y’ , 1 1st  .appendix* ) ) ) >append (append (x* ,y* ) 1 1st  appendix’ ) 
) •»  TNUEI 

| - append  (x , append  (y , II  ■ t .append  <z>)>  ■ append  (append  (x , y) , 1 1 « t .append  (i ) > 
SIHPLIFIES  TO i 


TRUE 

(21 

xi11st,yillst,ztl l*t_cl_eon» 

#1  x i con* 

*1  Cx’ i list  y’ i I lst,z* i I let.ot  con* 

#1  x’  c x 

|-  append  (x’ , append (y  * , 1 1 s t .append (*’>>) «app*nd (append (x’,y'),ll*t  append (z ’ ) 
) *>  TRUE] 

|-  append  (x,  append  (y,  Mst.appond(z) ) ). append  (append  (x,  y) , I lat.append(z)) 
SIHPLIFIES  TO i 


TRUE 

PROOF  OF  +1*  RELATIVE  TO  THE  ASSERTIONS! 

♦17 

UNPROVED  RULES!  *2S  *2i  +23  +21  +2*  el9  +17  +16  el2  +11  +7 
UNPROVED  SYNTAX  LCftftRSi  -1$  -11  -IP  -2 

Red  | 

prove  *11 1 
PROVING  ell 
xi  1 1st 

| - list  .append (drop (x) ) «>x 


induct  x! 

NEU  GOALS! 

(II 

XI  1 1st 
#1  X i NIL 
<1  (x ’ i list 
#1  x’  C X 

|-  list .append (drop  (x  * ) ) ex  * a>  TRUE! 
|-  I lst_append(drop(x))ex 

SIHPLIFIES  TO! 


TRUE 

(21 

xi list 
#1  x i cons 
•1  tx*  1 1 1st 
II  n‘  c x 

|-  I Ist.appendldroptx’D.x*  *>  TRUE] 
|-  1 1st .append (drop (x) )«x 


SINPLIFIES  TOi 
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TRUE 


PROOF  OF  ♦ !!  RELATIVE  TO  THE  ASSERTIONS! 


♦ 17 

UNPROVEO  RULESi  +26  +25  +23  *21  *21  ♦!»  +17  ♦«  +12  *7 


UNPROVED  SYNTAX  LEflHASi  -IS  -11  -IS  -2 


q«d| 

prove  +17 ■ 

PROVING  +17 
xt 1 1st 

|-  append (NIL , x) ■>» 
CURRENT  COAL i 
111 

xs  1 1st 

| - append (NIL, x>»x 
S1PIPL IFTES  TO i 


TRUE 

PROOF  OF  417 

UNPROVEO  RULESi  426  425  423  421  42*  419  4lS  412  e7 
UNPROVEO  SYNTAX  LEflHASi  -IS  -11  -19  -2 


q«d| 

prove  -11| 

PROVING  -11 

111  I let, 1 2 1 1 1st 

| - append ( 1 1, 12)  I list 


I nduc t 111 
NEU  GOAL Si 
III 

lit  1 1st,  I2i  1 1st 
#1  II  i NIL 
<1  ( 1 1*  s 1 1st , 12' 1 1 1st 
fl  II’  c II 

|-  appendin’,  12’)  I list! 

| - appendlll, 12)  i 1 1st 

SinPLIFIES  TOi 

TRUE 

121 

II: 1 1st, 12: 1 1st 

#1  II  i cons 

<1  1 II’ i 1 1st,  12’ 1 1 1st 

#1  ir  c n 

|-  append! 1 1’ , 12’ ) ■ list] 

|-  appendlll, 12)  ■ 1 1st 

SINPLIFIES  TO i 

TRUE 

PROOF  OF  -11 

UNPROVED  RULES:  426  42S  423  421  429  419  416  412  47 
UNPROVED  SYNTAX  LEHHAS:  -16  -19  -2 

qed» 
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A 1.4  Example  4:  McCarthy-Painter  Compiler  for  Expressions 

program  mcpi 

typa  locnama  ■ atom  U natrium 

typa  location  a locat ion ( loci  locnama,  locvali  Intagar) 

typa  stata  a NIL  U locat Ion* (f lr*t_loci  location,  othar_locai  atata) 

typa  load  a loaddoc.adrt  locnama) 

typa  ato  a ato(ato_adri  natnum) 

typa  1 1 a 1 1 (argi  Intagar) 

typa  add  a addladd.adri  locnama) 

typa  Inatr  a load  U ato  U II  U add 

typa  coda  a NIL  U lnatra(tlrat_lnatri  Inatr,  athar.lnstrsi  coda) 

typa  axpr  a Intagar  U atom  U aumtaxprli  axpr,  axpr2i  axpr) 

function  appandlxicoda,  yteoda)i  coda  a 
coda  cata  x of 
NILt  y 

Inatrai  Ina tra ( I Ira  tint Ir  (x) , appand (other. I ns tra (x)  ,y) ) 

daclara  tunct Ion  plus (xi Intagar,  yrlntagar)t  Intagar 

function  contantafli locnama, aiatata)!  Intagar  a 
atata  caaa  a of 
NILt  ZERO 

locational  If  I aquala  loc (f Ira t_loc (a>)  than  locval (f lrst_loc(s>> 
alaa  contanta ( I ,othar_loca (a) ) 

function  updataflni  locnama,  Ivi Intagar,  aistata)t  stata  a 
atata  caaa  a of 

NILt  locat lonat locat Ion ( In, I v) ,N1L) 
locational  If  loclf lrat_loc(a)>  aquala  In  than 

locat Iona (locat  Ion (In, Iv) ,othar_locs (a) ) 
alaa  locat  lonsd  Irst.locU)  ,updatadn,  I v.othar .locals)) ) 

function  atapdi  Inatr,  aiatats)i  atata  a 
Inatr  caaa  I of 

load i updata(ZERO,contanta(loc_adr ( I ) , a) , a) 
atoi  updata(sto_adr(l),contants(ZERO,s),s) 

III  updata(ZERO,arg(|),a) 

add  t updata(2ER0,plua  (contanta(add_adr  (I)  ,a) , contanta  (ZERO,  a))  ,s) 

function  outcomafcicoda,  aiatata)!  atata  a 
coda  caaa  c of 
NILt  a 

Inatrai  outcoms(othar_lnstra(c),stap(f lrst_lnstr(e),s>) 

function  compl  ladcountisuc,  aiaxprti  coda  a 
axpr  caaa  a of 

Intagari  Ina tra (I  I (a), NIL) 

atom  lnatra(load(a),NIL> 

aumi  appand  (appand  (comp  I la(tcount,axprl(a)>, 

Ina  tra  (atot (count ) ,eomp  I la(auc( (count), axpr 2 (a)))), 

I ns tra (add ((count), NIL)) 

function  valualataxpr,  aiatata) i Intagar  a 
axpr  caaa  a of 
Intagari  a 
atomi  contants(a,a) 

sum i ptus(valua(axprl(a) ,a> ,valua(sxpr2(s)  ,a>> 

• 

THE  F0LL0U1NC  FUNCTIONS  ARE  UNDEFINEDi 
plus 

THE  F0LL0UING  SYNTAX  LCItftNS  WIVE  SEEN  CENT  RATED  IT  THE  PARSER  l 
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(-1) 

x : coda , y i coda 
|-  app*nd(x,y)  i cod* | 

[-21 

xi tntag*r,yi tntaqar 
|-  plua(x,y)  i Intagarj 

1—31 

I i locn*m*,axtat* 

|-  contantad,*)  I Intagari 

[-*1 

Ini  locnama,  Ivi  lnt*g*r,axtat* 
|-  updalalln, lv,a)  i atataj 

I— SI 

i i ln*tr,*:*tata 
| - st*p(l,a>  i alalai 

1-6) 

ctcoda.axtata 
| - outconatc,*)  i *lat*| 

1-7) 

tcountxuc,  aiaxpr 
| - complladcount,*)  i cod*| 

(-8) 

aiaxpr,  sxtata 
|-  valuala,*)  > Intagari 


thaoraa  al 

nxuc,  aiaxpr,  ax  lata 

|-  cont*nta(ZERO,outcoM(coapl  l*(n,a),a))«valu*(*,*>j 
THEOREM  1 ACCEPTED 


rul*  *1 

li  locnaaa.nt  lntag«r,*xtat* 

| - contantad, updata d ,n,s) )«>n| 

al  RCCEPTEO 


rul*  *2 

c 1 1 coda , c 2 1 cod* , a x I a I* 

|-  oulcoaw (app*nd(cl,c2),B)>>outcoM(c2,outcoa*(cl,a))| 
*2  RCCEPTEO 


rul*  a3 

nxuc,  aiaxpr,  ax  lata 

|-  con  I an  t a In,  out  com  (coap  I lalaucln)  ,*>  ,*))>>cont*nt*(n,*)| 
a3  RCCEPTEO 


rul*  *4 

a t axpr , c i coda, a x I a la 

|-  valu*  (a,  out  com  (c,»)  )»>v*lu*  (a,  a)  | 


*4  RCCEPTEO 


n 
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rul.  *S 

aiaxpr.nmatnua,  vi Ini. gar, tit  tit. 

|-  valua(a,upda«a(n,v,a>)»valu«(a,a)| 

♦5  ACCEPTED 


prova  .1 | 

PROVING  *1 

niauc,aiaxpr,8iBtata 

|-  contanta(ZERO,outcoaa(coapl  la(n,a>,aM.valua(a,a) 


Induct  a <1 


NEH  GORLSi 
(11 

n i auc , a i axpr , a i a la 1 a 

#1  a i Intagar 

41  In’ iauc,.’ i.xpr.a’  latata 

/l  a’  c a 

|-  con  tan  t a (ZERO,  out  com  (coap  I la(n',al),a,ll»valua(a,,l’l) 
|-  contanta(ZERO,outcoM(coapl  la(n,a),a)).valua(a,a> 

SIMPLIFIES  TO i 


TRUE 

(21 

niauc,aiaxpr,aiatata 

#1  a i a ton 

41  (n’lauc.a’iaxpr.a'iatata 

#1  a’  c a 

|-  con  tan  t a (ZERO,  out  com  (coap  I la(n’,a’),a’)).>valua(a’,a’)] 
| - contanta(ZERO,outcoaa(coapl  la(n,a),t))»valua(a,a) 

SIMPLIFIES  TO i 


TRUE 

(31 

ntauc,aiaxpr,aiatala 

/I  a i bum 

41  In’ :auc,a' i.xpr,a’  latala 

/I  a*  c a 

| - contanta(ZERO,outcoM(coapl  lain*  ,a* ) ,a’ ))*>valua(a’  ,a’ )1 
|-  conlanta (ZERO,outcoM(coapl  l.(n,.),a>)>valua(a,a) 

SIMPLIFIES  TOi 


TRUE 

PROOF  OF  al  RELATIVE  TO  THE  ASSERTIONS! 

♦1  *2  *3  ♦$  ♦♦ 

UNPROVED  RULES!  .5  ♦«  *3  .2  .1 

UNPROVED  SYNTAX  LEMMAS i -4  -7  -4  -S  -4  -3  -2  >1 

qad| 


pula  *6 

nl i auc, n2 1 auc, ai axpr ,ai a tala 
#1  nl  c n2 

|-  contanta(nl,outcoM(coapl Ia(n2,a),a))»cen1anta(nl,a)| 
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♦6  ACCEPTED 


rut*  *7 

111  locnaap,  1 2 1 locnaaa.nt  lntsg*r,sistpts 
#1  11*12 

|-  con  Unit  (ll,updatp(l2,n,p))>>cont*nts(tl,g)| 
*7  ACCEPTED 


provo  *31 

PROVING  *3 
n i sue, pi pxpr, gistpts 

|-  con t gn t s (n,ou Icons  (coap  I Ip  (pucln)  ,p) ,»)  )»contants  (n,i> 

CURRENT  GOAL i 

III 

nisuc,pt pxpr, si stats 

|-  con  I pn  tp  (n,  out  coap  (coap  I I* (sue (n) ,g> ,s) )>cont*nts (n,t> 
SIHPLIFIES  TO i 


TRUE 

PROOF  OF  *3  RELATIVE  TO  THE  ASSERTIONS! 

*6 

UNPROVED  RULESi  *8  *S  *4  *2  *1 

UNPROVED  SYNTAX  LEWIASt  -8  -7  -6  -S  -»  -3  -2  -1 

qsd| 


pro vp  *6 | 

PROVING  *6 

nl t sue, n2i puc.pi pxpr, pi  stptp 
#1  nl  c n2 

|-  contsntp (nl.outcosw  (coap 1 1 s(n2,s),pl)*>contsnts(nl,s> 


Induct  s *1 


NEU  GOALSi 
111 

nlipuc,n2isuc,sisxpr,siststs 
#1  s I Intsgpr 
#2  nl  c n2 

81  Ini' t sue, n2' i sue, s'  I pxpr, s’ iptpts 

/I  S’  C P 

ti  nl’  e n2’ 

|-  contsntplnl’  ,outcoap(coapl  Ip(n2’  ,p’),p’))->contpnts(nl’,p’)l 
|-  contpntp(nl,outcoap(coapl  ls(n2,p),p>)acontpntp(nl,p> 

SIHPL IF IES  TO i 


TRUE 

(21 

nil puc,n2isuc,sipxpr ,aiptstp 

11  P ■ ptsa 

12  nl  e n2 
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i 


<1  Ini’ ieuc,n2’ i *uc, e'lexpr  , e'letate 
II  a'  e • 

#2  nl>  c n2’ 

| - con t ante (nl*  ,outcoaa(coapl  I* (n2’  ,•’),«’) l.xontentelnl’ )1 
| - contente(nl,outcoae(coapl  la (n2,e> ,e) >«contente(nl,e) 

SIMPLIFIES  TOi 

TRUE 

(3) 

nlieuc,n2icuc,aiexpr,eiatate 

#1  • i eu* 

#2  nl  c n2 

<1  (nl* ieuc,n2’ isue,a’ iexpr,e*  i elate 
#1  •’  c • 

#2  nl’  c n2> 

|-  contente(nl,,outcoae(coapUe(n2,,e’),a’))a>contenta(nl’,e')) 
|-  contantelnl.outcoaelcoapl  Ia(n2,e),e))>cententalnl,e) 

SIMPLIFIES  TOt 

TRUE 

PROOF  OF  46  RELATIVE  TO  THE  ASSERTIONSi 
♦7  *2  +1 

UNPROVED  RULESi  *7  4$  4«  42  4l 

UNPROVED  SYNTAX  LEHMASt  -6  -7  -6  -S  -4  -3  -2  -1 

q*d| 

prove  4l| 

PR0V1NC  4l 

I t I ocnaaa, ni Integer, eietate 
|-  contented, updated, n,a))->n 


Induct  e 4 1 


NEU  COAL St 
ID 

1 1 locnema.nt Integer, eietate 
#1  a i NIL 

SI  1 1 ' 1 1 ocnaaa , n* i Integer , a * letata 
#1  e’  c a 

|-  contented’.updeted’.n’.e’INxn') 

|-  contented, updated, n, alien 

SIMPLIFIES  TOi 

TRUE 

121 

1 1 locnaeie.ni  Integer, eiatate 
II  a i local  lone 

SI  II  ’ i locnaata.n’ t Integer, e’letate 
#1  a'  c a 

|-  con  tented '.updated  *,n',  a' ))»n') 

| - contented, updated, n, alien 

SIMPLIFIES  TOi 

e.other_loceiatate,a.  t Irat.loc.  loeval  i Integer, a.  I lret_lec.  loci  I ocnaaa 
, li l ocnaaa, ni Integer 
SI  Il’i  locnaae.n'i Integer, e’letate 

II  a*  c local  lenedecat  Ionia,  drat  Jec.  lac, a. I lrat_loc.  leeval), 


L 


1 
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a. olhar.locs) 

| - con  tan  Is (I ’ .update! I ’ ,n’ ))«>n’J 
|-  If  I squats  loc <f Irst.loc < 1 1 s. f Iral.loc. loc  aqusls  I than 

Iocs t Ions  ( local  ion ( I ,n) , a. olhar.locs)  alas  local  Ions < local ion( 
a.  1 Irst.loc.  loc,a. f lral_loc.  locval) , updated,  n,s.other_locs)))) 
than  locval (flral_loc(lf  a.  f Irst.loc. loc  equals  I than  locations 
< local ion< I ,n> ,a.othar_loe»)  alas  local  Ions (local  Ion ( 
a.  f lpat_loe.  loc, a.  * lrst_loe.  locval)  .updated,  n.s.other.locs)))) 
alas  contented, other.Iocsdl  a. f Irst.loc. loc  aquals  I than 
local  Iona  (local  lend  ,n>,  a.  othar_locs>  alas  local  Ions  (local  Ion  ( 
a. » I rat  _loc.  loc,  a.  f Iral.loc.  locval)  .updated  ,n,s.othar_loca)>))»n 
1 GORLS  REMAIN  TO  BE  PROVED 

CURRENT  GORLi 

a.  olhar.locs tala la,  a.  f Iral.loc.  locval  i lntaqsr,a.  f Iral.loc.  loci  locnaaa 
, I i locnams.n: Intaqar 
<1  (I ’ i locnaaa.n’ t Intaqar, s’ is  lata 

/I  s’  c local  lonadocallonla.  I Iral.loc.  loc, a.  (Iral.loc.  locval), 
a.olhar.lecs) 

|-  contents ( I ’ , update (I ’ ,n’ ,s* ) )»»n’l 
| - If  I equals  loc (f Iral.loc (I f s. f Iral.loc. loc  equals  I than 

local  Iona  ( local  lond  ,n) , a. olhsr.loca)  also  local  Ions  (local  lon( 
a.  f Iral.loc.  loc, a.  f Iral.loc.  locval)  .updated  ,n, a. olhar.locs)))) 
than  locval (f iral.loc  : I f a.  (iral.loc. loc  equals  I than  locations 
( local  lond  ,n> , a. olhar.locs)  also  local  Ions ( local  Ion ( 
a.  1 1 rs l.l oc.  loc, a.  I Iral.loc.  locval) , update!  I ,n, a. olhar.locs) )) ) 
also  contents (I .olhar.locs ( 1 1 a. ( Iral.loc.  loc  equals  I than 
local  Iona  (local  lond  ,n) , a.  olhar.locs)  also  local  Ions  (local  Ion  ( 
a.  f iral.loc.  loc, a.  ( Iral.loc.  locval) , update! I ,n,s.other_locs))))*n 


type  a. I Iral.loc. loc  equals  II 


NEU  GORLS i 
tl) 

a.  olhar.locs  i a tats,  a.  (Iral.loc.  locvali  Intaqar,  a.  ( Iral.loc.  loci  locnaaa 
, 1 1 locnaaa, nt Intaqar 
#1  la. ( Iral.loc. loc  equals  I)  i TRUE 
<1  (I'l locnaaa.n’ i intaqar, a’ istata 

#1  a’  c local  Iona  (local  ion(s.  ( iral.loc.  loc, a.  I Iral.loc.  locval) , 
a. olhar.locs) 

|-  contents (I ’ .update (I ’ ,n’ ,s’ > >->n’l 
| — If  I aquals  loc(( Iral.loc!  1 1 a. ( Iral.loc. loc  equals  I than 

local  Ions!  local  lond, n)  ,s. olhar.locs)  alas  local  Ions  (local  lon( 
a.  f iral.loc.  loc, a.  f Iral.loc.  locval), updata(l,n, a. olhar.locs)))) 
than  locval  (f  Irsl.locd ( a.  ( Iral.loc.  lee  equals  I than  locations 
(location! I, n),s.athar_locs)  alas  locatlens(locetlon( 
a.  ( Iral.loc.  loc, a.  (Iral.loc.  I ocval),updala(l,n, a. olhar.locs)))) 
also  contents (I .olhar.locs (I ( a. ( Iral.loc. loc  equals  I than 
local  lons(  local  lon(  I ,n)  ,a.  olhar.locs)  alas  local  Ions  (local  lon( 
a.  ( Iral.loc.  loc, a.  ( Iral.loc.  locval) , updated  ,n,  a.  olhar.locs)  ))Wn 

SIMPLIFIES  TOi 

TRUE 

12) 

s.elhar.locaistata.s.  (Iral.loc.  locvali  In  taper,  a.  I Iral.loc.  loci  locnaaa 
, 1 1 locnano.m  Intaqar 
#1  (a. ( Iral.loc.  loc  aquals  I)  i FALSE 
tl  (I’l locnaaa.n’ i Intaqar, s’  is  lata 

01  a*  c local  lonadocallonla.  (Iral.loc.  loc,  a.  (Iral.loc.  locval), 
a.olhar.lecs) 

|-  conlantad’,updatad’,n’,s’))»>n’) 

|-  ll  I aquals  tocdlrsl.locdl  a. (Iral.loc. lac  aquals  I than 
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loeat Ions < loeat lonll ,n> ,s.other_loea>  (It*  local lomOoeat lonl 
s.  1 lr»t_lpc.  loc,».  f lp»t_loc.  locval), update (I  ,n, a. other. Iocs)))) 
than  locvcl (f lrst_loc(lf  a. f lrst_loc. lec  equals  I than  locations 
( local  lon(l,n) ,s.othar_locs)  alto  local  Ions (location! 
a. I Irst.loc. loc,a. ( Irst.loc.  locval)  ,update(l,n,a.other_loca)))) 
also  contants(l,othar_loca(ll  a. I Irst.lee. loc  aqualt  I than 
tocatlons(locatlon(l,n),s.other_locs)  alts  local  Ions (location! 
a.  t lrat_loc.  loc,e. t Irat.loe.  locval ) .update < I ,n,s.other_loca) > ) )«n 

SIMPLIFIES  TOi 


TRUE 

PROOF  OF  +1 

UNPROVED  RULESi  *7  +S  »l  *2 

UNPROVED  SVNTRX  LEMMASt  -8  -7  -$  -5  -4  -3  -2  -1 

qad| 


prova  42) 

PROVING  +2 

cl ■ coda, c2i coda, at  state 

|-  ou  tcoma  (append  (cl,c2),  a)  »ou  tcoma  (c2,  outcome  (cl,  a)) 


Induct  el  «l 


NEU  GOALS ■ 

(1) 

c 1 1 coda , c2 1 coda , a t a ta  ta 
#1  cl  i NIL 

81  tel* :code,c2’ icode.s' tatata 
#1  el’  c cl 

| - outcome  (append  (cl ’,c2’),  s’ )»outcoaa(c2’,outco*o(cl’,B’))] 
| - outcome  (append  (e  1 , e2) , a)  >ou  tcome  (c2 , outcome  (cl , a)  > 

SIMPLIFIES  TOt 


TRUE 


cl : coda, c2i coda, sis tala 
#1  cl  ! Inatra 

81  (cl’ :coda,c2’ rcoda.a’  istata 
#1  cl’  c cl 

ou  tcoma  (append  (el*  ,c2’),a’)»outeoma(c2' , outcome  (el’  ,»'))) 
|-  ou t coma  (append  (c  1, c2> , a) •outcome  (c2,ou tcoma  (cl, a) ) 

SIMPLIFIES  TOi 


TRUE 

PROOF  OF  *2 

UNPROVED  RULES!  «7  *S  *4 

UNPROVED  SYNTAX  LEMMAS ! -8  -7  -8  -S  -4  -3  -2  -1 


prove  »4| 

PROVING  *4 

a ■ oxpr , c t coda , a ■ a ta  t a 
|-  valua(a,outcoma(c,s>)«>valua(e,a) 
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Induct  c -») 


NEU  GORLSt 
111 

• i axpr , c i cod* , < i * t a t* 

#1  c i NIL 

<1  t*’ :*xpr,e’ tcod*,*’  tatat* 

#1  c’  e c 

|-  valuata’ .outcoa* tc’ ,a’))»>valu*t*’,a’>l 
|-  valuata,outcoaa(c,a))>valua t*,s) 

SIHPL1FIES  TOt 

TRUE 

(21 

a : axpr, c: coda, a i atata 
#1  c t I naira 

SI  [*’ >*xpr,e’ (coda, a* ictata 
/I  c’  c c 

| - valuata’ , outcoa*  tc’ ,»’> )»>valu*t*’ ,*’)! 

| - va I ua (a , outcoa*  tc , a > ) • va I u* (a , a) 

SII1PLIFIES  TO i 

c.oth*r_lnatraicoda,c.  < Irat.lnatri  lnatr,*i*xpr,aiatat* 
tl  [*’ iaxpr,c’ icoda.a’ latata 

#1  c’  c Inatratc. » lr*t_ln*lr,c.oth*r_ln*tra» 

| - valuata’ .outcoaatc’ ,a’))«>valu*t*’ ,a’  )1 
| - valuata, a topic. t lr*t_lnatr,*)).va.j*(*,a) 

1 GORLS  REMAIN  TO  BE  PROVED 

CURRENT  GORLi 

c.othar_ln*tr*icoda,c.  f lr»t_lnatri  ln*tr,*i*xpr,aiatat* 
SI  to* iaxpr,e’ icoda.a’ tatat* 

tl  c*  c Inatratc. »lr«t_ln*tr,c.oth*r_ln*tra> 

|-  valuata’  .outcoa*  tc’ , a’ 1 1 »valu*  (*’,*’)! 

|-  valuata,at*p(c. I lrst_lnatr,a>  Uvaluata.a) 


typ*  c. f lrat_lnatrl 


NEW  GOALS » 

(11 

c.oth*r_lnatraicod*,c.  f lrat_lnatn  lnatr,aiaxpr,aiatata 
#1  c. I irat.lnatr  ■ load 
SI  (*’ taxpr.c’ icoda.a' tatat* 

#1  c’  c Inatratc. llrst_lnatr,e.oth*r_lnetrs> 

| - valuata’ , outcoa* te’ , a’) )*>valuafa’ , a* II 
|-  valuata, ataptc. I lrat_ln*tr,*)).valu*t*,a) 

SIMPLIFIES  TO i 

TRUE 

(21 

c-oth*r_lnatraicod*,c.  < Irat.lnatri  ln*tr,*>*xpr,aiatat* 
#1  c. t lrat_lnatr  t at* 

SI  (*’i*xpr,c’ icoda.a’ tatat* 

#1  c’  c Inatratc. I lrat_ln*tr,c.oth*r_lnatr*> 

|-  valuata* , outcoa* t*’, a’) ).>valuat*', a’ II 
|-  valuata, staple. Ilratjnalr,a>>*valu*t*,a> 


j 


k 
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SIHPLIFIES  TO i 

TRUE 


c . o thap_ I nx tra : code , c . f lpat_lnatp)  lnatr,a>axpr,a)atata 
#1  c. f lpat_lnatp  ! It 
<1  la’ )axpr,c’ icoda.a’ >atata 

#1  e’  c Inatralc.  I lrat_lnatr,c.othar_lnalra> 

| - valua  la’  ,outcoM(c’ ))»valua  (•’  )J 
| - valua(a,atap(c. ( lpat_lnatr,a>  >»va lua (a.a) 

SIHPLIFIES  TOi 

TRUE 

E41 

c . o th«r_l  n*  trx : cod* . c . I lr*t_lmtri  lnatr,a>axpp,a)atata 
II  e. f ir»t_lnitr  i add 
<1  ta’ iaxpr,e’ icodata’ ictata 

II  e’  c Inatpa (c. I lpat_lnatP,e.othap_lnatpa> 

|-  valua(a' , out  com  (c*  ,a‘) )>>valua(a’  ,a'>) 

| - valua  (a, staple.  I lpat_lnatr,a))«valua(a,a> 

SinPUFIES  TO i 

TRUE 

PROOF  OF  ♦*  RELATIVE  TO  THE  ASSERTIONS) 

+5 

UNPROVED  RULES)  *7  *5 

UNPROVED  SYNTAX  LEHHAS)  -8  -7  -8  -S  -«  -3  -2  -1 


ppova  +5( 

PROVINC  *5 

ataxpp.ninatnuio, v>  lntaqap,i)«tata 
| - va  lua  (a, updata  (r>, vta)  )»>valua  (a.  a) 


induct  a * I 


NEU  GOALS) 

III 

a: axpr.n: natnua, v> intagar.a>atata 
#1  a > intagap 

SI  la’ : axpp.n’ tnatnua, v’ ) Intagar.a’ >atata 

#1  a*  c a 

|-  valua (a ’ .updata In’ ,v’ ,a')).>valua(a’ ,a’>] 
| - valua<a,updata(n,v,»)).valua(a,a) 

SinPLIFIES  TO) 


TRUE 

(2) 

aiaxpr.nmatnua, v>  Intagap.a) a tata 
#1  a > atoa 

81  la’  > axpp.n’  matnuat,  v*  i Inlagar.a’  > a lata 

II  a*  e a 

|-  valua (a* .updata In’ ,v’ .a’l).>valua(a’,a’)J 
|-  valua (a,updata(n,v,a>)«valua(a,a> 


law 
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SIMPLIFIES  TO i 


TRUE 


ei axpr , n ' natnua, vi lnt*g*r,*i*tat* 

# 1 • I (U!> 

<1  [•' ■•xpr,n’ matnua.v’t Integer,*’  is  tat* 

#1  a*  c • 

|-  value <*’, update (n’ ,v’ ,»’) )«>valu*(e’ ,»’ >1 
| - value (a .update (n,v,*) ) .value (a,  »> 

SIMPLIFIES  TOi 


TRUE 

PROOF  OF  *S  RELATIVE  TO  THE  ASSERTIONSi 
♦7 

UNPROVED  RULES)  *7 

UNPROVED  SYNTAX  LEWIASt  -4  -7  -8  -S  -4  -3  -2  -1 
qadj 


prova  +7 1 
PROVING  *7 

111  locnaaa,  I2i  locneae,m  Integer, aiatate 
#1  11x12 

|-  contanta(ll,updata(l2,n,t))a>centanl*(ll,a> 


Induct  a a I 


NEU  GOALSi 
111 

111  locnaaa, I2i locnaaa, m lntagar,aistata 
#1  a i NIL 
#2  11x12 

41  III'  i locnaaa, 12’ i locnaaa,n’ i Inlagar.s'  utata 
#1  *'  c a 
#2  Il’xl2’ 

|-  con tanta III’  .update (12’  ) >.>contente(l  1’  ,*’  II 

|-  content* < I l,updat*(l2,n, a)). content* < 1 1,*> 

SIMPLIFIES  TOi 


TRUE 

(21 

Hi  locnaaa, I2i locnaaa, ni lnt«gar,*i*tata 
fl  a i location* 

n iixi2 

41  Ill’i  locnaaa, I2’t locnaaa.n’i Intagar,*’ utata 
#1  a’  c a 

#2  11**12’ 

| - cont*nta(ll',updat*(l2',n',a,>>»contanta(ll,,a'll 
| - con  t ant  a ( 1 1,  updo Ie(l2,n,«>) .content*! 1 1,»> 

SIMPLIFIES  TOi 

*.othar_loc«i*tat*,(.  t lr«t_loe. locvali Intagar , a. (Ira t_loc. laci locnaaa 
, lit locnaaa, I2i locnaaa.m Intagar 
#1  11x12 

41  III’  i locnaaa,  12’  t locnaaa, n’  i Integer , a’ latato 
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#1  s’  c locat Ion* ( locat Ion (s. I Irst.loc. loe,s. f Irst.loc.  loeval > , 
s.othar.locs) 

#2  1 1 * « 1 2* 

| - content*  ( II* , update  ( 12*  ,n*  ,s* ) )a>cont*nts  ( 1 1 * ,s* )) 

|-  It  II  equal*  loe  < I ir*t_loc  ( I f s.  f lr*t_loc.  loc  equal*  12  then 

locat  Ion* ( locet Ion ( I2,n) .s.other.locs)  elie  locat Ion* ( locet lon( 
s.  I Irst.loc. loc,*. t Ir* t_loe.  loeval > ,updat*( 12, n, a. other. Iocs) > ) > 
then  loeva I < I Ir* t_loc ( 1 1 *. f Irst.loc. loc  equal*  12  then 
locat  Ion* (locat lon( 12, n) .s.other.locs)  els*  locat Ions ( locat lon( 
s.  f Irst.loc. loc, s. f Irst.loc.  loeva  I > .update  ( I2,n,  *.other_loc*> ) ) ) 
els*  con  tents ( I l,oth*r_locs ( I f s.  I lr*t_loc. loc  equals  12  then 
locat  Ions (locat lon( 12, n> ,s.oth*r_locs)  else  locat Ions (locat lon( 
s.  f Irst.loc. loc, s. f Irst.loc. loeva I ), update ( I2,n,s. other.locs) >) >■ 
If  II  equals  a.  f lr*t_loe. loe  then  s. f lr«t_loc. loeva I els* 
contents  ( 1 1, s.other.locs) 

1 GOALS  REMAIN  TO  BE  PROVED 

CURRENT  GOAL  I 

s.other.locsi state,*.  f lrst_loc. loeva 1 1 Integer,*. t Irst.loc.  loci locnaae 
, Hi  locnamo,  1 2 > locnaiae.nt  Integer 
f 1 11*12 

(1  ( 1 1’  i locnaae,  12’  i locnaae.n’  l Integer,*’  i state 

#1  *’  c locet Ion* < locat lon(*. f lr«t_loc. loc,*. t Irst.loc. loeva I ) , 
*.oth*r_loc») 

n ii’«i2’ 

| - con  tents  ( 1 1 ’ , update  ( 12’ , n*  ,*' ) )a>con  tents  ( 1 1*  ,s’)1 
|-  If  II  equals  loc (f lr»t_loc( I f s. f lrst_loc. loc  equals  12  then 

locat Ions ( locat  Ion ( 12, n) ,s. oth*r_locs)  els*  locat  Ions ( locat lon( 
s.  (Irst.loc . loe,  s.  f lrst_loc . loeva  I ) .update  ( l2,n,s.oth*r_locs> ) ) ) 
then  loeval  (I  lrst_loc  ( I f s. f Irst.loc. loe  equals  12  then 
locat Ions ( locat  lon((2,n) ,s. other.locs)  els*  locat Ions ( locat lon( 
s. f Irst.loc.  loc.s. f Irst.loc.  loeval), update (1 2,n,*.oth*r_loes>))) 
els*  contents ( 1 1, other. Iocs ( I f s. f Irst.loc. loc  equals  12  than 
locat Ions (locat lent  12, n) ,s.oth*r_locs)  els*  locat  Ions ( locat lent 
s. I Irst.loc.  I oc, s.  f Irst.loc. loeval ) .update ( l2,n,s.other_lecs) )) )• 
If  II  equals  s.  f Irst.loc. loc  then  s. f Irst.loc. loeval  ala* 
contents'  II, e. other. Iocs) 


type  s. f Irst.loc. loc  equals  121 


NEU  GOALSi 
(1) 

s. other.  Iocs  i state,  a. (Irst.loc. loeval i Integer,*. f Irst.loc. loci locnaae 
, 111  locnaae, 1 2 1 locnaae, ni Integer 
/l  (s. f Irst.loc. loc  equals  12)  I TRUE 

n 11*12 

tl  ( 1 1’  i locnaae, 12’ i locnaae.n’ i Integer,*’ is  tat* 

1 1 s’  c local  Ions ( locat  lonts.  I Irst.loc. loc,s. f Irst.loc.  loeval) , 
s.other.locs) 

#2  1 1 ’ « 1 2 ’ 

| - contents (II’ .update ( 12’ ,n* ,s’ ) )«>con tents' II’ , s’ )) 

|-  If  II  equals  loc ‘f Irst.loc ( I f s. f Irst.loc. loe  equals  12  then 

locat Ions ( locat lon( 12, n) , s.other.locs)  els*  locat Ions ( locat lon( 
s.  f Irst.loc.  I oe, s.  f Irst.loc.  loeval)  .update'  12, n,s. other. Iocs) )) ) 
then  loeva  I (f  Irst.loc  ( I f s.  (Irst.loc.  loc  equals  12  then 
locat Ions ( locat lon(l2,n) , s.other.locs)  else  locat  Ions ( locat lon( 
s.  f Irst.loc . loc,*.  f Irst.loc.  loeval)  .update' 1 2,n, s.other.locs))) ) 
else  cont*nts(ll,oth*r.locs(lf  s. f Irst.loc. loc  equals  12  then 
locat Ions (locat ion(l2,n) .s.other.locs)  else  locat Ions ( locat Ion ( 
a.  f Irst.loc.  loc, s.  f Irst.loc.  loeval) , update' l2,n,a.other_locs)) ))• 
If  II  equals  a.  f Irst.loc. loc  then  a. f Irst.loc. loeval  els* 
con  ten ts'fl, a. a than. Iocs) 


1 
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TRUE 


m.other_loceiatate,a.  1 tr«1_loc.  locvali  Inleyer.a.  f lrat_loe.  loci  locnaae 
, II: locnaaw,  12:  locnaaa,ni Integer 

11  (a . f lral_loc. loc  aquali  12)  : Fffl.SE 

12  11-12 

SI  111’ : locnaaw,  12' : locnaaw, n* : Integer, a’latata 

11  a*  c local  Iona ( local  Ionia. f lrat_loc. loc, a. I lrat_loc. locval), 

a.olhar_loca) 

12  Il’-I2’ 

|-  con t ant a 111’ , update  I 12’ ,n’,a’))->eonlanta(ll’  ,a’)l 
|-  if  II  aquala  loc (f iral_loc ( I f a. f iral_loc. loc  aquala  12  than 

local  ional  local  lon(l2,n) , a. other_loci>  alia  local  Iona ( local  Ion ( 
a.  I ira t_loc.  loc, a. f irat_loc. locval ) , updata ( l2,n,a.other_locs) ) >) 
than  locval (I lral_loc ( I f a. f lret_loc. loc  aquala  12  than 
local  Ion* (local !on(l2,n) , a. other_loc»>  alia  local lonstlocat lonl 
a.  * lrat_loc.  loc, a.  f lrat_loc.  locval),updata(l2,n,a.othar_loca)))> 
alaa  contan la ( ll,other_loea ( I f a. f Irat.loc. loc  aquala  12  than 
local  ionadocat  !on(l2,n),a.other_loca)  alaa  local  Iona ( local  lon( 
a.  f Irat.loc.  loc, a.  f lrat_loc.  locval) .update (l2,n,a.other_loea>>>>» 
II  II  aquala  a.  I lral_loc. loc  than  a. f Irat.loc. locval  alaa 
con  tan  la  ( ll,e.other_lica) 

SIMPLIFIES  TO: 


TRUE 

PROOF  OF  *7 

UNPROVED  SYNTAX  LEMMAS:  -8  -7  -6  -5  -*  -3  -2  -1 
dad  | 


prove  -1 j 

PROVING  -1 
x : coda, y: coda 
|-  append (x,y)  : coda 

Induct  xl 


NEU  GOALS: 

ID 

xi  coda, y: coda 
#1  x : NIL 
<1  lx’ tcode.y’ icoda 
#1  x’  c X 

|-  append (x’,y*)  I coda) 
|-  append (x,y)  : coda 

SIMPLIFIES  TO: 


TRUE 

(2) 

x i code, y icoda 
11  x i Inatra 
II  lx’ icoda, y’ icoda 
II  »'  c x 

|-  appendix’ ,y’ ) i coda) 
|-  appendix, y)  i coda 
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sirtPLiriEs  to i 

TRUE 

PROOF  OF  -1 

UNPROVED  SYNTAX  LEMURS t -«  -7  -6  -5  -»  -3  -2 


q«d| 


prova  -3) 

PROVING  -3 

1 1 locnaaa.aiatata 

| - contanti ( I ,*)  i Intagar 


induct  ■! 


NEW  GORLSi 
tl) 

li  locnaina,atatata 
/ 1 a i Nit 

tl  t I* t locnaaa,a’ latata 
#1  a*  c a 

| - contanta ( I ’ ,a’ ) i Intagar) 
|-  contanta ( I , a)  t Intagar 

SIMPLIFIES  TOi 


TRUE 

(21 

It locnaMa,aiatata 
#1  a i local  Iona 
tl  1 1 * t locnaaa, a' tatata 
#1  a’  c a 

|-  contanta ( I ’ ,a’ ) t Intagarl 
|-  contanta  ( I , a)  I Intagar 

SIMPLIFIES  TO t 


TRUE 

PROOF  OF  -3 

UNPROVED  SYNTAX  LEMMAS i -t  -7  -6  -5  -4  -2 
R«d  | 


prova  -4 | 

PROVING  -4 

Ini  locnapa, Ivt lntagar,aiatata 
|-  updatadn,  lv,a>  t atata 


Induct  a I 


NEW  GORLSt 
III 

Ini locnaaa, Ivi Intagar, aiatata 
tl  a i NIL 

tl  I In'  i locnaaia,  tv’  i Intagar, a'  tatata 

#1  a*  c a 


r 
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I-  updataOn*,  lv’,*’>  i atat*) 

|-  updatadn.lv,*)  i atat* 

SIMPLIFIES  TO) 

TRUE 

121 

Ini  locnaM,  Ivi  lnl#9«r,ai«tal» 

/I  a i location* 

<1  t In’  i locnaM,  I v’  i Intagar,*’ latata 
tl  a’  e a 

|-  updataOn’,  lv’, a’)  t atatal 
| - updatadn,  lv,a)  ■ atato 

SIMPLIFIES  TOi 

TRUE 

PROOF  OF  -4 

UNPROVED  SYNTAX  LEHMOSt  -•  -7  -6  -S  -2 
q*d| 


prov*  -5 1 

PROVINC  -S 
1 1 lnstr,*i atat* 

|-  *tapd,a)  i atat* 


typo  1 1 


NEU  COOLS ■ 

(11 

1 1 Inatr.aiatat* 
tl  I i load 
|-  ataptl,*)  t atat* 

SIMPLIFIES  TOi 

TRUE 

(21 

1 1 Inatr.aiatat* 

II  I i ato 
|-  atopd,*)  i atat* 

SIMPLIFIES  TOi 

TRUE 

(31 

I i Inatr.aiatat* 

II  I i II 

|-  ataptl,*)  i atat* 
SIMPLIFIES  TOi 

TRUE 

(4) 

I i Inatr.aiatat* 

#1  I i add 
|-  *t*p(l,*>  i *tat* 
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SIMPLIFIES  TO i 


TRUE 

PROOF  OF  -S 

UNPROVED  SYNTAX  LENNRSi  -4  -7  -4  -2 


qad| 


prove  -6 | 

PROVINC  -6 

cicode.sietate 

|-  outco*e(c,a>  i atata 


Induct  cl 


NEU  CORLS i 
(1) 

c i coda, at s tat* 

#1  c i NIL 
<1  le’icoda.a’iatata 
n c1  c c 

|-  outcoaalc’.a’)  i atatal 
| - outcoaa(c,a)  ■ atata 

SIMPLIFIES  TOt 


TRUE 

(21 

cicoda,aiatata 
#1  c i Inatra 
41  te’  rcoda.a’ latata 
#1  e’  c e 

|-  outcoaetc’.e')  i atata] 
|-  outcoae (c,a>  I atata 

SIMPLIFIES  TOi 


TRUE 

PROOF  OF  -4 

UNPROVED  SYNTAX  LEMMAS t -4  -7  -2 

pad  i 


prove  -7 | 

PROVING  -7 

t coun  1 1 auc , e t expr 

|-  ceapl la(tcount,a)  i coda 


Induct  a I 


NEU  COALS i 
III 

t ceun t ■ auc , a i axpr 
/I  a I Integer 
41  Iteount* iauc,a’ texpr 
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#1  •*  c • 

|-  coaplla(tcount’,a’>  i cod*) 
|-  coapl la ((count, a)  ■ coda 

SIRPUFIES  TOi 


TRUE 

(2) 

(count i «uc,aiaxpr 

fl  a ■ atop 

SI  ((count’ isuc, a’ taxpr 

#1  a’  c a 

|-  coapl la((coun(’ ,a’ ) I oada) 
|-  coapl la(tcount,a)  ■ coda 

SIRPUFIES  TO) 


TRUE 

(3) 

tcountisuc,aiaxpr 

#1  a i (ua 

tl  ((count* isuc, a’ taxpp 

fl  a*  c a 

| - coapl  la (tcounf  ,a’>  ■ cada) 
|-  coapl la(tcount.a)  t cads 

SIRPUFIES  TOi 


TRUE 

PROOF  OF  -7 

UNPROVED  SYNTAX  LERHASi  -S  -2 


R«d  l 


pro vs  -8) 

PROVINC  -8 

atsxpr.iittata 

|-  va lus  <a,a>  i Intafsr 


Induct  si 


NEU  COALS t 
(II 

aiaxpr,aiatata 
fl  a i Inlagar 
81  (s’ taxpr, a’ istata 

fl  s’  c a 

|-  valuala’.a’)  ■ Intafsr) 
|-  valua(s,a)  t Intafsr 

SIRPUFIES  TOi 


TRUE 

(21 

siaxpr,sistata 

fl  a i atoa 

81  (a’iaxpr,a*istata 

fl  s’  c a 

|-  valuals’ ,a’ ) i Intafsr) 
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|-  vilut(ifi)  i intaqar 
SinPLIFIES  TOi 

TRUE 

[31 

a:axpr,n t tat* 

#1  • I SUM 
<1  la’iaxpr.a’tstata 

/J  a’  c a 

|-  valuators’)  I lnl*9*r) 
|-  valua(a,s>  i Intaqsr 

SinPLIFIES  TOi 

TRUE 

PROOF  OF  -a 

UNPROVED  SYNTAX  LEtltlASi  -2 
qad| 


1 
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APPENDIX  2 
TLV  USER’S  MANUAL 


A 2.1  TLV  Conventions 

Before  describing  the  commands  accepted  by  the  TYPED  LISP  Verifier,  we  need  to  define 
some  terminology  and  notation.  All  statements  in  TLV  are  divided  into  four  parts: 

1.  Variable  declarations. 

2.  Quantifier-free  hypotheses. 

3.  Induction  hypotheses. 

4.  Conclusion. 

A variable  declaration  Is  simply  a formula  of  the  form  v : T where  v is  a variable  and 
T is  a type  name.  Every  free  variable  appearing  anywhere  in  a statement  must  be  declared. 
The  only  statements  which  may  contain  induction  hypotheses  are  the  intermediate  goals 
generated  In  the  course  of  a proof.  To  permit  easy  reference  to  a some  part  of  a statement, 
quantifier  free  hypotheses  are  labeled  •!,  *2,  ...  and  induction  hypotheses  are  labeled  &1,  &2, 
...  At  any  intermediate  point  in  a proof  in  TLV,  there  is  a list  of  goals  which  remain  to  be 
proved.  These  goals  are  labeled  *1,  *2, ...  Goal  *1  is  called  the  current  goal. 

Statements  serving  as  theorems  or  lemmas  are  called  assertions.  TLV  assigns  every 
assertion  a unique  assertion-name  of  the  form  on,  -n,  or  +n  where  n is  a positive  integer  and 
the  prefixes  •.  -,  and  + designate  theorems,  syntax  lemmas,  and  user-specified  lemmas, 
respectively.  Assertions  are  parsed  by  the  verifier  according  to  the  following  syntax. 

assertion 
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declarations 


where  each  hypothesis  is  a formula  and  the  conclusion  is  a formula  rewrite  pattern  or  an 
expression  rewrite  pattern  with  the  syntax: 

expression  rewrite  pattern 


formula  rewrite  pattern 


formula 


■> 


formula 


The  command  Interpreter  accepts  lab els  of  the  form  ft  preceding  hypotheses  so  it  can  parse 
assertions  printed  in  the  verifier’s  standard  output  format  They  have  no  semantic 
significance. 


In  TLV,  formulas  have  the  form: 


A specifier  composed  solely  of  numbers  designates  the  formula  or  expression  within  the 
current  goal  selected  by  the  following  rules.  The  first  number  of  the  sequence  is  a code 
indicating  which  part  of  the  goal  contains  the  specified  formula  or  expression.  Zero  indicates 
the  conclusion;  a positive  integer  l indicates  quantifier-free  hypothesis  *i.  Each  subsequent 
number  n (which  must  be  positive)  selects  the  nth  operand  of  the  currently  selected  formula 
or  expression.  The  final  formula  or  expression  selected  is  the  one  designated  by  the  specifier. 


A more  useful  form  for  a specifier  includes  an  operator  op  naming  the  head  operator  of 
the  designated  formula  or  expression  (root  of  the  standard  syntax  tree  representation).  The 
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formula  or  expression  designated  by  the  the  specifier  • op  n | . . . is  the  first  formula  or 

expression  with  head  operator  op  encountered  in  a left-to-right  scan  of  the  formula  or 
expression  selected  by  the  specifier  • n | . . . n^. 


A 2.2  TLV  User  Commands 

Now  we  are  finally  ready  to  discuss  the  commands  accepted  by  the  verifier.  Each  command 
name  may  be  abbreviated  by  any  initial  segment  of  the  name  which  uniquely  identifies  the 
command.  In  the  following  list  of  commands,  the  symbol  bar  ( | ),  pointy-brackets  ( <,  > 
Xbraces  ({,}),  and  square  brackets  ( [ , ) ) are  used  as  meta-symbols.  Any  symbol  enclosed  in 
braces  is  optional.  Symbols  appearing  within  pointy-brackets  and  separated  by  bars  are 
mutually  exclusive  alternatives.  The  bar  symbol  also  appears  as  a terminal  symbol  in  the 
prove  command  without  ambiguity  since  no  pointy  brackets  surround  it.  Finally,  square 
brackets  denote  the  Kliene  closure  of  the  enclosed  sequence  of  symbols.  The  commands 
available  in  TLV  are: 

< 

assume  (•}  number  <-,  | !> 

Function:  makes  goal  tnumber  into  a rule. 

consequence  < formula  | specified  q | b 

Function:  applies  the  consequence  rule  to  goal  *1  using  the  specified  formula. 

clear  <;  1 1> 

Function:  reinitializes  the  verifier. 


delete  [ hypothesis-number  ] [ induction- hypothesis-number  ] <;  1 1> 

Function:  applies  the  hypothesis  deletion  rule  to  the  specified  hypotheses. 

disable  [ <functlon-name  | assertion-name)  ] <j  | b 

Function:  disables  the  specified  expansion  rules  and  lemmas  until  the  next  prove  or 
enable  command. 

enable  [ (.function-name  | assertlon-name>  ] <i  | b 

Function:  enables  the  specified  expansion  rules  and  lemmas  if  they  were  disabled. 

equals  <{e)  number  | formula  | specifier)  <♦•  | -»>  J specifier } <s  | b 

Function:  applies  the  equals  rule  to  the  section  of  goal  *1  indicated  by  specifier  (if 
omitted  the  entire  goal  is  specified)  using  equality-hypothesis  •number  or  the  new 
hypothesis  specified.  The  latter  option  also  creates  the  extra  goal  of  proving  the 
general-formula  is  a consequence  of  the  goal  hypotheses. 
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formula  < formula  | specifier > <;  1 1> 

Function:  performs  a formula  split  on  goal  *1  using  the  specified  formula. 

induct  < expression  | specified  {<*•  | -*>}  <j  | !> 

Function:  applies  the  induction  rule  to  goal  *1  using  the  specified  expression  as  the 
induction  term.  The  optional  pattern-specifier  (the  symbol  «-  or  -*)  makes  the 
induction-hypothesis  into  an  expression  rule  or  formula  rule  directed  in  the  specified 
direction,  if  possible. 

instantiate  <assertion-name  \ 8c  number > 

[ expression  J 
<?|l> 

Function:  applies  the  instantiation  rule  to  goal  *1  using  the  specified  assertion  and  the 
terms  provided  In  the  expression-list.  Note,  the  expressions  in  the  expression-list  and 
the  final  terminator  (the  symbol ; or  I)  are  entered  in  response  to  queries  by  the  verifier. 

list  <assertion-class  | assertion-name's  <;  1 1> 

Function:  lists  all  assertions  in  the  specified  assertion-class  or  the  single  assertion 
specified  by  assertion-name  on  the  user’s  terminal. 

occurs  <{•}  number  | expression  | specifier's  <{•}  number  | expression  | specifiers  <;  | !> 

Function:  applies  the  occurs  rule  to  the  two  expressions  indicated.  The  first  expression 
must  be  of  the  form  fj  c and  the  second  of  the  form  t^  c fj  where  r j.  t^,  tj  are 
terms. 

program  file-name  <;  1 1> 

Function:  reads  the  program  from  the  file  file-name. pg  Note:  the  effect  of  reading 
several  programs  without  performing  an  intervening  clear  command  is  cumulative.  No 
previous  definitions  are  destroyed. 

prove  assertion-name  { | [ assertion-name  ]}<;({> 

Function,  initializes  the  goal-list  to  the  single  goal  specified  by  assertion-name  and 
disables  the  rules  specified  by  the  assertion-names  following  the  bar  symbol  ( | ).  The 
verifier  automatically  disables  any  rules  depending  on  the  selected  assertion  or  a 
disabled  rule. 

read  file-name  <;  | b 

Function:  reads  commands  from  the  file  flle-name.pt  until  an  end-of-file  or 
error-condition  is  encountered. 

replace  expression  (by)  variable-name  : type-name  <j  1 1> 

Function:  applies  the  replacement  command  to  goal  «l,  replacing  the  specified 


1 
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expression  by  variable-name. 
rule  assertion  <}  | !> 

Function:  creates  a rule  (lemma).  An  assertion  with  an  expression  rewrite  pattern  or  a 
formula  rewrite  pattern  for  a conclusion  creates  the  specified  expression  or  formula 
rule.  Similary,  an  assertion  with  a type  expression  for  a conclusion  creates  the  specified 
type  rule.  An  assertion  with  a conclusion  of  the  form  t j - or  t^  “ t j where  t j,  t^  are 

expressions  and  <2  is  composed  solely  from  constructors  and  constants  creates  an 
expression  rule  with  conclusion  ->  t^.  An  assertion  with  conclusion  r where  r is  an 
expression  (abbreviating  a formula)  creates  the  expression  rule  with  conclusion  t j -> 

TRUE.  Any  other  assertion  with  conclusion  a creates  the  formula  rule  with  conclusion 
o •>  TRUE. 

simplify  {•}  lumber's  <;  | !> 

Function:  simplifies  only  the  hypothesis  • number  within  goal  *1. 
show  {number)  <;  ( !> 

Function:  list  the  last  number  proof  steps  on  the  user’s  terminal.  If  number  is  ommitted, 
all  steps  are  listed. 

status  <;  | !> 

Function:  lists  the  status  of  all  assertions  (theorems,  lemmas  syntax  lemmas, 
expression-rules,  type-rules,  and  formula-rules)  known  to  the  verifier. 

undo  {number}  <;  | !> 

Function:  undoes  all  proof  steps  back  to  step  number.  If  number  is  omitted,  one  step  is 
undone. 

write  [fUe-name } <;  | !> 

Function:  writes  alt  proof  steps  executed  (but  not  undone)  since  the  verifier  was  last 
cleared. 


I 

Function:  simplifies  goal  «l. 


A 2.S  Running  TLV 

The  terminating  symbol  i or  I tells  the  verifier  whether  or  not  to  simplify  the  new  goats 
generated  (or  if  no  new  goals  are  generated  goal  «!).  The  symbol  I indicates  that 
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simplification  should  be  performed;  the  symbol  ; indicates  that  simplification  should  be 
suppressed.  However,  simplification  is  never  done  after  commands  which  do  not  generate 
proof  steps:  clear,  list.  read.  show,  status,  undo,  and  write. 

To  start  the  TYPED  LISP  Verifier  (TLV),  the  user  must  call  the  function  RESET  (with  no 
arguments)  from  the  top  level  of  LISP.  i.e.  type 
(RESET) 

In  response,  the  verifier  will  return  the  prompt  symbol  •,  indicating  it  is  waiting  for  a 
command.  To  return  to  the  top  level  of  LISP,  the  user  simply  types  the  symbol  • followed  by 
a carriage  return.  To  reenter  the  verifier  from  the  top  level  of  LISP  after  exiting  or 
encountering  a system  error,  the  user  simply  calls  the  function  REE  (with  no  arguments). 
Unlike  RESET,  REE  does  not  destroy  the  previous  state  of  the  verifier. 
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A 2.4  TYPED  LISP  Syntax  Error  Messages 
2.4.1.  Minor  Errors 

The  parser  continues  parsing  normally  despite  the  ocurrence  of  errors  from  the  list  below. 


ERROR  NUMBER 

EXPLANATION 

-1 

The  previous  character  in  the  input  stream  is  invalid.  The  parser 
skips  and  ignores  the  character. 

-2 

The  actual  type  of  the  preceding  expression  does  not  intersect  its 
allowed  type. 

-3 

In  an  enumeration,  the  preceding  constant  has  already  appeared  in  the 
llst-of-constants. 

-4 

The  function-name  specified  in  the  preceding  function-declaration  has 
already  been  declared  earlier  in  the  program. 

-5 

The  current  function-definition  conflicts  with  the  declaration  of  the 
same  function-name  earlier  in  the  program. 

2.4.2.  Major  Errors 

The  parser  recovers  from  the  following  errors  by  skipping  the  remainder  of  the  definition  or 
assertion  containing  the  error  and  resuming  parsing  at  the  beginning  of  the  next  definition  or 
command  in  the  input  stream. 

ERROR  NUMBER 

EXPLANATION 

2 

A type-name  must  head  a case-alternative. 

3 

An  incorrect  type-name  heads  the  current  case-alternative. 

4 

The  symbol : must  follow  the  type-name  heading  a case-alternative. 

5 

In  a case-expression,  case  must  follow  the  type-name  heading  the 
expression. 

L 
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simplification  should  be  performed;  the  symbol  j indicates  that  simplification  should  be 
suppressed.  However,  simplification  is  never  done  after  commands  which  do  not  generate 
proof  steps:  clear,  list,  read,  show,  status,  undo,  and  write. 

To  start  the  TYPED  LISP  Verifier  (TLV),  the  user  must  call  the  function  RESET  (with  no 
arguments)  from  the  top  level  of  LISP,  i.e.  type 
(RESET) 

In  response,  the  verifier  will  return  the  prompt  symbol  •,  indicating  it  Is  waiting  for  a 
command.  To  return  to  the  top  level  of  LISP,  the  user  simply  types  the  symbol  • followed  by 
a carriage  return.  To  reenter  the  verifier  from  the  top  level  of  LISP  after  exiting  or 
encountering  a system  error,  the  user  simply  calls  the  function  REE  (with  no  arguments). 
Unlike  RESET,  REE  does  not  destroy  the  previous  state  of  the  verifier. 
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In  a case-expression,  of  must  follow  the  index  expression. 

In  a disjoint-union,  more  than  one  component  type-name  must  appear. 

In  an  if-expression,  then  must  follow  the  boolean  expression. 

In  an  if-expression,  else  must  follow  the  consequent  expression. 

In  a function-call,  the  symbol ) or , must  follow  an  argument. 

In  the  preceding  function-call,  there  are  too  few  arguments. 

A term  must  begin  with  an  identifier,  a constant,  or  the  symbol  [. 

In  the  current  expression,  the  preceding  variable-name  is  not  defined. 

In  the  current  expression,  the  preceding  identifier  is  not  defined. 

In  the  a function-call,  the  symbol  ( must  follow  the  function-name. 

In  the  preceding  function-call,  there  are  too  many  arguments. 

At  the  beginning  of  a definition,  either  type,  function,  or  declare  must 
appear. 

In  a constructor  definition, a selector-name  must  head  a selector-field. 

The  preceding  identifier  heading  a selector-field  has  already  been 
defined. 

In  a constructor-definition,  the  symbol : must  follow  a selector-name. 

In  a selector-field,  a type-name  must  follow  the  symbol  s . 

The  preceding  type-name  is  undefined.  Forward  type  references  are 
permitted  only  in  selector-fields  within  recursive-unions. 

The  parser  was  forced  to  abandon  translatingthe  current 
case-expression  because  of  a syntax  error  in  the  definition  of  the 
case-type-name. 
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24  In  a constructor-definition,  the  symbol  ( must  follow  the 

constructor-name. 

25  In  a constructor-definition,  the  symbol  ) must  follow  the 

selector-field-list. 

26  In  a type-definition,  an  identifier  must  follow  type. 

27  In  the  current  type-definition,  the  preceding  identifier  has  already  been 
defined. 

28  In  a type-definition,  the  symbol  ■ must  follow  the  defined-type-name. 

29  In  an  enumeration,  a constant  must  follow  the  symbol  { or  , . 

30  In  an  enumeration,  the  symbol  { must  follow  the  list-of -constants. 

31  In  a type-definition,  the  symbol  { or  a type-name  must  follow  the 
symbol  ■. 

32  In  the  current  type-definition,  the  preceding  type-name  is  undefined. 

33  In  the  current  disjoint-union  or  recursive-union,  the  preceding  type 

intersects  another  type  in  the  union. 

35  In  the  constructor-definition-list  within  a recursive-union,  an 
undefined  identifier  serving  as  a constructor-name  must  follow  the 
symbol  U. 

36  A bracketed-expression  must  end  with  the  symbol  ] . 

37  In  a function-definition,  an  undefined  identifier  must  follow  function. 

39  In  a function-definition,  the  symbol  ( must  follow  the  function-name. 

40  In  a parameter-list  within  a definition  or  assertion,  a variable-name 
must  appear  at  the  beginning  of  the  list  and  following  each  , . 

42  In  the  current  parameter-list,  the  preceding  variable-name  appears 
twice. 

43  In  a parameter-list,  the  symbol : must  follow  a variable-name. 
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44 

46 

47 

48 

49 

50 

51 

52 
101 

102 

103 

104 

105 


In  a parameter-list,  a type-name  must  follow  the  symbol : . 

In  a function-definition  or  function-declaration,  the  symbol  ( must 
follow  the  parameter-list. 

In  a function-definition  or  function-declaration,  the  symbol  : must 
follow  function  ( parameter-list ) : . 

In  a function-definition  or  function-declaration,  a type-name  must 
follow  function  type-name  ( parameter-list ) : . 

In  a function-definition,  the  symbol  a must  precede  the  the  expression 
forming  the  body  of  the  function. 

The  current  function-definition  conflicts  with  the  declaration  of  the 
same  function-name  earlier  in  the  program. 

In  a function-declaration,  function  must  follow  declare. 

In  a type-test,  a type-name  must  follow  term  : . 

In  a assertion  or  induction-hypothesis,  the  delimiter  | must  precede  the 
consequent. 

In  an  atomic-formula  a type-name  must  follow  the  predicate  symbol : . 

The  predicate  symbol  »>  must  not  appear  in  an  assertion  which  is  not  a 
rule. 

In  an  atomic-formula,  the  only  infix-predicates  permitted  are 
e -»c . 

A parenthesized-formula  must  end  with  the  symbol ) . 


6.5  TYPED  LISP  Verifier  Command  Errors 

If  the  command  parser  detects  an  error  while  reading  from  the  user  terminal,  it  skips  to  first  | 
or  I following  the  error.  If  the  parser  finds  an  error  in  a proof  file,  it  closes  the  file  and 
selects  the  user  terminal  for  input 
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ERROR  NUMBER  EXPLANATION 

1 Illegal  command  name. 

2 A number  was  expected,  but  not  found. 

S The  selected  goal  does  not  exist. 

4 No  goals  exist;  the  preeding  command  is  inapplicable. 

5 The  selected  hypothesis  is  not  an  equality  formula. 

6 The  preceding  specifier  does  not  identify  an  expression. 

7 The  preceding  specifier  does  not  identify  an  formula. 

8 The  selected  hypothesis  does  not  exist. 

9 The  selected  hypothesis  is  not  an  implication. 

10  The  type  of  the  Induction  expression  is  not  recursive. 

1 1 The  selected  assertion  or  induction  hypothesis  does  not  exist. 

12  The  selected  assertion  depends  on  the  assertion  being  proved. 

IS  Illegal  assertion-name. 

14  The  selected  hypothesis  is  not  an  occurs  formula. 

15  The  selected  hypothesis  is  not  an  or  formula. 

16  A proof  is  in  progress;  the  prove  command  is  Illegal. 

1 7 The  selected  assertion  has  already  been  proved. 

18  Illegal  variable  name. 

19  The  symbol  i is  expected  following  the  variable-name  in  a replace 
command. 

20  Illegal  type-name. 


21  The  type  of  the  specified  expression  cannot  be  split. 

22  No  proof  steps  exist. 

23  The  specified  file-name  Is  not  a lower-case-identifier. 

24  The  symbol  -»  or  *■  is  missing  in  an  equality  command. 

25  The  symbol  ■>  is  used  illegally  within  a rule. 

26  The  type  of  the  specified  expression  does  not  intersect  the  type  of  the 
instantiated  variable. 

27  The  selected  lemma  cannot  be  instantiated  because  it  contains  induction 
hypotheses. 

28  A program  command  in  a command  file  generated  a syntax  error. 
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One  of  Che  most  popular  models  of  computation  Is  the  least  fixed-point  approach  to  semantics 
originated  by  Kleene  [Kleene  1952]  and  refined  by  Scott  [1970,  1971],  Park  [19691  Milner 
[1973],  and  others.  Least  fixed-point  semantics  interprets  a function  defined  by  a recursion 
equation  as  the  least  fixed-point  of  the  the  functional  associated  with  the  right  side  of  the 
equation.  In  other  words,  if  f is  defined  by  the  recursion  equation: 

ftx,, ....  xn)  ■ r(x, xn), 

then  f is  interpreted  as  the  least  fixed-point  of  the  functional  r*[f]  defined  by 

T*[fXx, xn)  - r(x, xn) 

using  the  standard  partial  ordering  on  partial  functions.  Of  course,  suitable  restriction  must 
be  placed  on  the  domain  of  data  values  and  on  the  base  functions  appearing  in  r for  the 
least  fixed-point  to  exist  [See  Milner  1973,  Manna  19751 

Unfortunately,  the  least  fixed-point  interpretation  for  a function  defined  by  a recursion 
equation  frequently  differs  from  the  standard  call-by-value  interpretation  used  in  most 
programming  languages.  Some  computer  scientists  have  been  so  impressed  by  the  elegance  of 
the  least  fixed-point  interpretation  for  recursive  functions  that  they  have  called  the 
call-by-value  interpretation  incorrect!  My  own  view  is  that  while  least  fixed-point  semantics 
is  mathematically  elegant  in  many  respects,  it  is  not  an  appropriate  model  for  functions 
defined  by  recursion  in  real  programming  languages.  Call-by-value  semantics  is  much  more 
intuitively  comprehensible;  few  programmers  think  of  the  recursive  procedures  they  write  as 
the  least  fixed-points  of  functionals.  The  most  appealing  feature  of  least  fixed-point 
semantics  is  that  It  defines  the  meaning  of  recursive  functions  without  resorting  to  defining 
an  Interpreter  for  recursion  equations,  the  usual  method  for  formally  defining  the 
call-by-value  interpretation.  What  Is  not  widely  appreciated  Is  that  the  least  fixed-point 
approach  to  semantics  can  be  used  to  define  the  call-by-value  interpretation  for  a recursion 
equation  in  a simple,  elegant  manner.  Using  the  tools  of  least  fixed-point  semantics,  I will 
define  what  I call  the  Itast  call-by-value  fixed-point  of  a recursion  equation. 
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First,  we  need  to  review  the  standard  definitions  of  least  fixed-point  semantics: 

Definition.  A complete  partial  ordering  is  a pair  <D,  e>  where  D is  any  domain  and  e is 
a partial  ordering  on  D such  that-. 

a.  There  is  a least  element  uiD,  l.e.  for  all  x « D,  » s x. 

b.  Every  ascending  sequence  X - Xj  e x„  e ~ has  a least  upper  bound  denoted  l.u.b.  X. 

Definition.  A complete  partial  ordering  D under  the  relation  e is  a flat  domain  iff  for  all 
x,y  « D,  x e y iff  x « y or  x - w.  (The  data  domains  for  all  existing  practical 
programming  languages  are  flat.) 

Definition.  Let  D(  and  Dg  be  complete  partial  orderings.  A function  f mapping  Dj  into 
Dg  is  montonic  iff  for  any  two  elements  x,y  c Dj,  x e y Implies  f(x)  e f(y).  The  function  f is 
continous  iff  for  every  ascending  sequence  X « {x(  | i - 1,2,... ) in  Dj,  f(l.u.b  X)  - l.u.b  {f(xt> 

I i - 1,2.  ..  }• 

Notation.  Let  Dj,  Dg  be  two  complete  partial  orderings.  We  denote  the  set  of  continuous 
functions  mapping  D|  into  Dg  by  [D(  -»  Dgl 

Theorem  A.  Let  D be  complete  partial  ordering  under  e.  The  cartesian  product  Dn  is  a 
complete  partial  ordering  under  the  relation  En  defined  by: 

[x  j,  xn]  e [y,, ....  yp]  iff  x(  e for  i - I,  _,  n. 

Proof.  See  [Manna  1974]. 

Theorem  B.  If  D(  and  Dg  are  complete  partial  orderings,  then  CD  j -*  Dg]  is  a complete 
partial  ordering  under  the  relation  e defined  for  fg  « [Dj  -*  Dg]  by: 
f e g iff  f(x)  e g(x)  for  all  x « D| 

Proof.  See  [Milner  19731 

Theorem  C.  Let  D be  complete  partial  ordering  under  e,  and  let  f be  a continuous 
function  mapping  D into  D.  The  function  f has  a unique  least  fixed-point  . (In  fact,  the 
theorem  is  true  under  the  weaker  assumption  that  f Is  monotonic,  but  the  less  general  form 
of  theorem  given  here  is  sufficient  for  most  purposes  including  ours.) 

i 


Proof.  See  [Milner  19731 

Notation.  Let  r be  a term  composed  from  monotonic  functions;  constants  the  variables  X|, 
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....  xn;  and  the  function  symbol  /.  Given  the  interpretation  / c [Dn  -»  D]  for  / and  the 
interpretations  x^  « D for  Xj,  I - I,  ....  n,  we  denote  the  corresponding  interpretation  of  r 
by: 

<T;£*l V 

Theorem  D..  Let  r be  a term  composed  from  monotonic  functions;  constants  the  variables 
x j,  ....  xn;  and  the  function  symbol  /.  Let  / < [Dn  -»  D],  and  let  x^  « D,  t - 1, ....  n.  The 

fractional  r defined  by 

rt/Xx,,  ...,Xn)  - <T;^;Xj xn> 

is  continuous. 

Proof.  See  [Manna  1974]  for  a sketchy  proof. 

Now  we  are  finally  ready  to  define  the  least  call-by-value  fixed-point  of  a singly  recursive 
recursion  equation.  The  least  call-by-value  fixed-points  of  a system  of  mutually  recursive 
equations  is  a straightforward  generalization. 

Definition.  Let  D be  a flat  domain  under  the  relation  e with  subsets  (types)  7^,  T^,  ...  Tp 

excluding  the  undefined  object  («).  Let  / be  the  function  symbol  defined  by  the  recursion 
equation  E: 

^XI:TI xn:7V"T(xl xn> 

where  r is  a term  constructed  from  monotonic  functions  on  cartesian  products  of  D,  the 
variables  Xj xn,  and  the  uninterpretated  n-ary  function  symbol/.  Let  denote  the 

functional  mapping  [Dn  -»  D]  into  [Dn  -*  D]  defined  by-. 

T^[fXxj xn)  • < If  Xj:  7*|  a.  . . a xn:  rn 

then  r(x  |,  ....  xR) 
else  w ; 


where  if-then-else  denotes  the  standard  conditional  function,  ■Tl  is  the  strict  characteristic 
function  for  type  7^,  and  a denotes  the  standard  boolean  function  "and*.  Since  all  of  these 

functions  are  monotonic,  is  continuous  by  Theorem  D.  A call-by-valut  flxtd- point  of 
the  recursion  equation  E is  any  fixed-point  of  the  functional  A Itast  caU-Py-txtfut 


fixed-point  g of  the  recursion  equation  E is  a call-by-value  point  of  E which  hu  the 
property  g c A for  all  call-by-value  fixed-points  h of  E. 

The  least  call-by-value  fixed-point  of  a recursion  equation  obviously  corresponds  to  the 
call-by-value  interpretation  for  the  function  defined  by  the  equation,  since  it  always 
■evaluates’  each  argument  to  ascertain  that  It  is  defined  and  belongs  to  the  proper  type. 


